import scap-security-guide-0.1.50-6.el8

2020-07-28 05:13:13 -04:00 · 2020-07-28 05:13:13 -04:00 · 82da654d43
commit 82da654d43
parent 7c9bce9777
17 changed files with 2524 additions and 251 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.47.tar.bz2
+SOURCES/scap-security-guide-0.1.50.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -1 +1 @@
-4459787cf5bceb48e0743b84057196206e999ca4 SOURCES/scap-security-guide-0.1.47.tar.bz2
+1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@ -1,34 +1,36 @@
-From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 17 Dec 2018 13:30:06 +0100
-Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
+From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 17 Jan 2020 19:01:22 +0100
+Subject: [PATCH] Disable profiles that are not in good shape for RHEL8

 They raise too many errors and fails.
+Also disable tables for profiles that are not built.
 ---
- rhel8/CMakeLists.txt            | 3 ++-
+ rhel8/CMakeLists.txt              | 2 --
 rhel8/profiles/cjis.profile       | 2 +-
 rhel8/profiles/cui.profile        | 2 +-
- rhel8/profiles/hipaa.profile    | 2 +-
+ rhel8/profiles/rhelh-stig.profile | 2 +-
+ rhel8/profiles/rhelh-vpp.profile  | 2 +-
 rhel8/profiles/rht-ccp.profile    | 2 +-
 rhel8/profiles/standard.profile   | 2 +-
- 6 files changed, 7 insertions(+), 6 deletions(-)
+ 9 files changed, 8 insertions(+), 10 deletions(-)

 diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
-index 99bccbed7..77f8ccaec 100644
+index 40f2b2b0f..492a8dae1 100644
 --- a/rhel8/CMakeLists.txt
 +++ b/rhel8/CMakeLists.txt
-@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
+@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
 ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
 ssg_build_html_table_by_ref(${PRODUCT} "anssi")
 
 -ssg_build_html_nistrefs_table(${PRODUCT} "standard")
-+# Standard profile is disabled for RHEL8 as it is not in good shape
-+#ssg_build_html_nistrefs_table(${PRODUCT} "standard")
 ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ ssg_build_html_nistrefs_table(${PRODUCT} "stig")
 
 # Uncomment when anssi profiles are marked documentation_complete: true
+ #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
 diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
-index a7f8c0b16..c460793be 100644
+index 05ea9cdd6..9c55ac5b1 100644
 --- a/rhel8/profiles/cjis.profile
 +++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -47,18 +49,28 @@ index eb62252a4..e8f369708 100644
 
 title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
 
-diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
-index feb98007c..0667f65ed 100644
--- a/rhel8/profiles/hipaa.profile
-+++ b/rhel8/profiles/hipaa.profile
+diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
+index 1efca5f44..c3d0b0964 100644
+--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
@@ -1,4 +1,4 @@
-documentation_complete: True
+-documentation_complete: true
 +documentation_complete: false
 
- title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
+ 
+diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
+index 2baee6d66..8592d7aaf 100644
+--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
+documentation_complete: false
+ 
+ title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
 
 diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
-index 023663b21..8b22bc711 100644
+index c84579592..164ec98c4 100644
 --- a/rhel8/profiles/rht-ccp.profile
 +++ b/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -78,5 +90,5 @@ index a63ae2cf3..da669bb84 100644
 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
 
 -- 
-2.19.2
+2.21.1

--- a/SOURCES/scap-security-guide-0.1.48-e8_polish.patch
+++ b/SOURCES/scap-security-guide-0.1.48-e8_polish.patch
@ -1,60 +0,0 @@
-From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 21 Nov 2019 16:28:23 +0100
-Subject: [PATCH 1/2] Updated the e8 profile for RHEL8.
-
- removed obsolete SSHD settings.
- added rules for crypto policies.
---
- rhel8/profiles/e8.profile | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
-index 53b4c156e2..f0f19a4708 100644
--- a/rhel8/profiles/e8.profile
-+++ b/rhel8/profiles/e8.profile
-@@ -123,14 +123,16 @@ selections:
-   - sshd_print_last_log
-   - sshd_use_priv_separation
-   - sshd_do_not_permit_user_env
-  - sshd_disable_rhosts_rsa
-   - sshd_disable_rhosts
-  - sshd_allow_only_protocol2
-   - sshd_set_loglevel_info
-   - sshd_disable_empty_passwords
-   - sshd_disable_user_known_hosts
-   - sshd_enable_strictmodes
- 
-+  - var_system_crypto_policy=default
-+  - configure_crypto_policy
-+  - configure_ssh_crypto_policy
-+
-   ### Application whitelisting
-   - package_fapolicyd_installed
-   - service_fapolicyd_enabled
-
-From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 25 Nov 2019 16:42:37 +0100
-Subject: [PATCH 2/2] Update the crypto policy and rationale.
-
---
- rhel8/profiles/e8.profile | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
-index f0f19a4708..f78e908482 100644
--- a/rhel8/profiles/e8.profile
-+++ b/rhel8/profiles/e8.profile
-@@ -129,7 +129,10 @@ selections:
-   - sshd_disable_user_known_hosts
-   - sshd_enable_strictmodes
- 
-  - var_system_crypto_policy=default
-+  # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this.
-+  # TODO: Re-evaluate after another crypto policies become available.
-+  # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
-+  - var_system_crypto_policy=future
-   - configure_crypto_policy
-   - configure_ssh_crypto_policy
- 
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
@ -0,0 +1,71 @@
+From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 12 May 2020 08:17:20 +0200
+Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
+
+---
+ .../ansible/shared.yml                        | 33 +++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+new file mode 100644
+index 0000000000..5d76b3c073
+--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: Configure daily log rotation in /etc/logrotate.conf
+  lineinfile:
+    create: yes
+    dest: "/etc/logrotate.conf"
+    regexp: "^daily$"
+    line: "daily"
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+  lineinfile:
+    create: no
+    dest: "/etc/logrotate.conf"
+    regexp: "^(weekly|monthly|yearly)$"
+    state: absent
+
+- name: Configure cron.daily if not already
+  block:
+    - name: Add shebang
+      lineinfile:
+        path: "/etc/cron.daily/logrotate"
+        line: "#!/bin/sh"
+        insertbefore: BOF
+        create: yes
+    - name: Add logrotate call
+      lineinfile:
+        path: "/etc/cron.daily/logrotate"
+        line: '/usr/sbin/logrotate /etc/logrotate.conf'
+        regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+
+From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 12 May 2020 14:48:15 +0200
+Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
+
+Test scenario when monthly is there, but weekly is not.
+---
+ .../tests/logrotate_conf_extra_monthly.fail.sh                | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+new file mode 100644
+index 0000000000..b10362989b
+--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
+echo "monthly" >> /etc/logrotate.conf
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
@ -0,0 +1,115 @@
+From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 May 2020 20:49:08 +0200
+Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
+
+---
+ .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
+ .../sshd_set_max_sessions/tests/wrong_value.fail.sh   | 11 +++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000000..a816eea390
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+        sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+    else
+            echo "MaxSessions 4" >> $SSHD_CONFIG
+fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000000..b36125f5bb
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+        sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+    else
+            echo "MaxSessions 10" >> $SSHD_CONFIG
+fi
+
+From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 May 2020 20:53:50 +0200
+Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
+
+---
+ .../sshd_set_max_sessions/ansible/shared.yml         |  8 ++++++++
+ .../ssh_server/sshd_set_max_sessions/bash/shared.sh  | 12 ++++++++++++
+ .../tests/correct_value.pass.sh                      |  2 +-
+ .../sshd_set_max_sessions/tests/wrong_value.fail.sh  |  2 +-
+ 4 files changed, 22 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+new file mode 100644
+index 0000000000..a7e171dfe9
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_sshd_max_sessions)
+
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+new file mode 100644
+index 0000000000..fc0a1d8b42
+--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_sshd_max_sessions
+
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+index a816eea390..4cc6d65988 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
+ if grep -q "^MaxSessions" $SSHD_CONFIG; then
+         sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+     else
+-            echo "MaxSessions 4" >> $SSHD_CONFIG
+        echo "MaxSessions 4" >> $SSHD_CONFIG
+ fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+index b36125f5bb..bc0c47842a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
+ if grep -q "^MaxSessions" $SSHD_CONFIG; then
+         sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+     else
+-            echo "MaxSessions 10" >> $SSHD_CONFIG
+        echo "MaxSessions 10" >> $SSHD_CONFIG
+ fi
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
@ -0,0 +1,147 @@
+From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 11:52:35 +0200
+Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
+
+Very likey a copy-pasta error from bash remediation for
+audit_rules_immutable
+---
+ .../audit_rules_system_shutdown/bash/shared.sh                  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+index 1c9748ce9b..b56513cdcd 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+@@ -8,7 +8,7 @@
+ # files to check if '-f .*' setting is present in that '*.rules' file already.
+ # If found, delete such occurrence since auditctl(8) manual page instructs the
+ # '-f 2' rule should be placed as the last rule in the configuration
+-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
+ 
+ # Append '-f 2' requirement at the end of both:
+ # * /etc/audit/audit.rules file 		(for auditctl case)
+
+From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 12:12:21 +0200
+Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
+
+Along with very basic test scenarios
+---
+ .../ansible/shared.yml                        | 28 +++++++++++++++++++
+ .../tests/augen_correct.pass.sh               |  4 +++
+ .../tests/augen_e_2_immutable.fail.sh         |  3 ++
+ 3 files changed, 35 insertions(+)
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+new file mode 100644
+index 0000000000..b9e8fa87fa
+--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+  find:
+    paths: "/etc/audit/rules.d/"
+    patterns: "*.rules"
+  register: find_rules_d
+
+- name: Remove the -f option from all Audit config files
+  lineinfile:
+    path: "{{ item }}"
+    regexp: '^\s*(?:-f)\s+.*$'
+    state: absent
+  loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+  lineinfile:
+    path: "{{ item }}"
+    create: True
+    line: "-f 2"
+  loop:
+    - "/etc/audit/audit.rules"
+    - "/etc/audit/rules.d/immutable.rules"
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+new file mode 100644
+index 0000000000..0587b937e0
+--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+new file mode 100644
+index 0000000000..fa5b7231df
+--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+
+From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 14:06:08 +0200
+Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
+
+---
+ .../audit_rules_immutable/ansible/shared.yml                    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+index 5ac7b3dabb..1cafb744cc 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+@@ -17,7 +17,7 @@
+     state: absent
+   loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+ 
+-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+   lineinfile:
+     path: "{{ item }}"
+     create: True
+
+From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 11:02:56 +0200
+Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
+
+---
+ .../audit_rules_system_shutdown/bash/shared.sh            | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+index b56513cdcd..a349bb1ca1 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+@@ -4,16 +4,8 @@
+ #
+ # /etc/audit/audit.rules,			(for auditctl case)
+ # /etc/audit/rules.d/*.rules			(for augenrules case)
+-#
+-# files to check if '-f .*' setting is present in that '*.rules' file already.
+-# If found, delete such occurrence since auditctl(8) manual page instructs the
+-# '-f 2' rule should be placed as the last rule in the configuration
+ find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
+ 
+-# Append '-f 2' requirement at the end of both:
+-# * /etc/audit/audit.rules file 		(for auditctl case)
+-# * /etc/audit/rules.d/immutable.rules		(for augenrules case)
+-
+ for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
+ do
+ 	echo '' >> $AUDIT_FILE
--- a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
@ -0,0 +1,49 @@
+From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 21 May 2020 18:16:43 +0200
+Subject: [PATCH] Attribute content to CIS
+
+And update the description a bit.
+---
+ rhel7/profiles/cis.profile | 8 +++++---
+ rhel8/profiles/cis.profile | 8 +++++---
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
+index 0826a49547..829c388133 100644
+--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
+@@ -3,9 +3,11 @@ documentation_complete: true
+ title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
+ 
+ description: |-
+-    This baseline aligns to the Center for Internet Security
+-    Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
+-    12-27-2017.
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
+ 
+ selections:
+     # Necessary for dconf rules
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index f332ee5462..868b9f21a6 100644
+--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
+@@ -3,9 +3,11 @@ documentation_complete: true
+ title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+ 
+ description: |-
+-    This baseline aligns to the Center for Internet Security
+-    Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
+-    09-30-2019.
+    This profile defines a baseline that aligns to the Center for Internet Security®
+    Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+ 
+ selections:
+     # Necessary for dconf rules
--- a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
@ -1,26 +1,24 @@
-From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Wed, 13 Nov 2019 18:05:32 +0100
-Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles
+From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 25 May 2020 12:17:48 +0200
+Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8

-As the profile doesn't require a particular disk partition layout, I
-went for the 'autopart' feature.
 ---
- rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
- rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
- 2 files changed, 244 insertions(+)
- create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg
- create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg
+ rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
+ rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
+ 2 files changed, 250 insertions(+)
+ create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
+ create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg

-diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
+diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
 new file mode 100644
-index 0000000000..9e44a87a86
+index 0000000000..14c82c4231
 --- /dev/null
-+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
-@@ -0,0 +1,122 @@
-+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
+@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
 +# Version: 0.0.1
-+# Date: 2019-11-13
+# Date: 2020-05-25
 +#
 +# Based on:
 +# http://fedoraproject.org/wiki/Anaconda/Kickstart
@ -124,9 +122,12 @@ index 0000000000..9e44a87a86
 +# Create primary system partitions (required for installs)
 +autopart
 +
+# Harden installation with HIPAA profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
 +%addon org_fedora_oscap
 +        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_e8
+        profile = xccdf_org.ssgproject.content_profile_hipaa
 +%end
 +
 +# Packages selection (%packages section is required)
@ -140,19 +141,19 @@ index 0000000000..9e44a87a86
 +# Reboot after the installation is complete (optional)
 +# --eject	attempt to eject CD or DVD media before rebooting
 +reboot --eject
-diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
+diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
 new file mode 100644
-index 0000000000..3555f528cb
+index 0000000000..861db36f18
 --- /dev/null
-+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-@@ -0,0 +1,122 @@
-+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
+@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
 +# Version: 0.0.1
-+# Date: 2019-11-13
+# Date: 2020-05-25
 +#
 +# Based on:
 +# http://fedoraproject.org/wiki/Anaconda/Kickstart
-+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
 +
 +# Install a fresh new system (optional)
 +install
@ -220,143 +221,54 @@ index 0000000000..3555f528cb
 +firewall --enabled --ssh
 +
 +# Set up the authentication options for the system (required)
-+# --enableshadow	enable shadowed passwords by default
-+# --passalgo		hash / crypt algorithm for new passwords
-+# See the manual page for authconfig for a complete list of possible options.
-+authconfig --enableshadow --passalgo=sha512
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+# 
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux	erase all Linux partitions
-+# --initlabel	initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+%addon org_fedora_oscap
-+        content-type = scap-security-guide
-+        profile = xccdf_org.ssgproject.content_profile_e8
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+
-+# Require @Base
-+@Base
-+
-+%end # End of %packages section
-+
-+# Reboot after the installation is complete (optional)
-+# --eject	attempt to eject CD or DVD media before rebooting
-+reboot --eject
-
-From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 Nov 2019 11:19:51 +0100
-Subject: [PATCH 2/4] Use authselect for el8 kickstart
-
-auth and authconfig are deprecated
---
- rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-index 3555f528cb..e814024e2e 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
- firewall --enabled --ssh
- 
- # Set up the authentication options for the system (required)
-# --enableshadow	enable shadowed passwords by default
-# --passalgo		hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
 +# sssd profile sets sha512 to hash passwords
 +# passwords are shadowed by default
 +# See the manual page for authselect-profile for a complete list of possible options.
 +authselect select sssd
- 
- # State of SELinux on the installed system (optional)
- # Defaults to enforcing
-
-From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 Nov 2019 11:22:31 +0100
-Subject: [PATCH 3/4] Updated kickstart documenation link for el8
-
---
- rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-index e814024e2e..41d4b3d654 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-@@ -4,7 +4,7 @@
- #
- # Based on:
- # http://fedoraproject.org/wiki/Anaconda/Kickstart
-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
- 
- # Install a fresh new system (optional)
- install
-
-From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 18 Nov 2019 13:31:18 +0100
-Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation
-
---
- rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++
- rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
-index 9e44a87a86..23f1bad7e1 100644
--- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
-+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
-@@ -104,6 +104,9 @@ clearpart --linux --initlabel
- # Create primary system partitions (required for installs)
- autopart
- 
-+# Harden installation with Essential Eight profile
-+# For more details and configuration options see command %addon org_fedora_oscap in
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
- %addon org_fedora_oscap
-         content-type = scap-security-guide
-         profile = xccdf_org.ssgproject.content_profile_e8
-diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-index 41d4b3d654..8380ea13a3 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
-@@ -104,6 +104,9 @@ clearpart --linux --initlabel
- # Create primary system partitions (required for installs)
- autopart
- 
-+# Harden installation with Essential Eight profile
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
 +# For more details and configuration options see
 +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
- %addon org_fedora_oscap
-         content-type = scap-security-guide
-         profile = xccdf_org.ssgproject.content_profile_e8
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
--- a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
+++ b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
@ -0,0 +1,76 @@
+From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 22 May 2020 14:12:18 +0200
+Subject: [PATCH] Add missing CCEs for RHEL8
+
+---
+ .../password_storage/no_netrc_files/rule.yml                   | 1 +
+ .../accounts_user_interactive_home_directory_exists/rule.yml   | 1 +
+ .../file_groupownership_home_directories/rule.yml              | 1 +
+ shared/references/cce-redhat-avail.txt                         | 3 ---
+ 4 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+index 8547893201..1bd1f5742e 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+@@ -18,6 +18,7 @@ severity: medium
+ identifiers:
+     cce@rhel6: 27225-2
+     cce@rhel7: 80211-6
+    cce@rhel8: 83444-0
+     cce@ocp4: 82667-7
+ 
+ references:
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+index bedf3a0b19..e69bc9d736 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+@@ -21,6 +21,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel7: 80529-1
+    cce@rhel8: 83424-2
+ 
+ references:
+     stigid@ol7: "020620"
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+index 1c5ac8d099..f931f6d160 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+@@ -20,6 +20,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel7: 80532-5
+    cce@rhel8: 83434-1
+ 
+ references:
+     stigid@ol7: "020650"
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 2f0d2a526b..45d03a2c1d 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -95,7 +95,6 @@ CCE-83411-9
+ CCE-83421-8
+ CCE-83422-6
+ CCE-83423-4
+-CCE-83424-2
+ CCE-83425-9
+ CCE-83426-7
+ CCE-83427-5
+@@ -105,7 +104,6 @@ CCE-83430-9
+ CCE-83431-7
+ CCE-83432-5
+ CCE-83433-3
+-CCE-83434-1
+ CCE-83435-8
+ CCE-83436-6
+ CCE-83437-4
+@@ -115,7 +113,6 @@ CCE-83440-8
+ CCE-83441-6
+ CCE-83442-4
+ CCE-83443-2
+-CCE-83444-0
+ CCE-83445-7
+ CCE-83446-5
+ CCE-83447-3
--- a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
+++ b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
@ -0,0 +1,103 @@
+From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 13:30:24 +0200
+Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
+
+---
+ .../root_logins/no_direct_root_logins/ansible/shared.yml    | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+index e9a29a24d5..6fbb7c72a5 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+@@ -3,13 +3,9 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+-- name: Test for existence of /etc/securetty
+-  stat:
+-    path: /etc/securetty
+-  register: securetty_empty
+
+ 
+ - name: "Direct root Logins Not Allowed"
+   copy:
+     dest: /etc/securetty
+     content: ""
+-  when: securetty_empty.stat.size > 1
+
+From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 14:21:38 +0200
+Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
+
+---
+ shared/templates/template_ANSIBLE_sebool | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
+index 29f37081be..38d7c7c350 100644
+--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
+@@ -13,11 +13,17 @@
+ {{% else %}}
+ - (xccdf-var var_{{{ SEBOOLID }}})
+ 
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+  package:
+    name: python3-libsemanage
+    state: present
+{{% else %}}
+ - name: Ensure libsemanage-python installed
+   package:
+     name: libsemanage-python
+     state: present
+-
+{{% endif %}}
+ - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
+   seboolean:
+     name: {{{ SEBOOLID }}}
+
+From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 14:57:05 +0200
+Subject: [PATCH 3/3] add tests for no_direct_root_logins
+
+---
+ .../root_logins/no_direct_root_logins/tests/correct.pass.sh    | 3 +++
+ .../root_logins/no_direct_root_logins/tests/missing.fail.sh    | 3 +++
+ .../root_logins/no_direct_root_logins/tests/wrong.fail.sh      | 3 +++
+ 3 files changed, 9 insertions(+)
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..17251f6a98
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+new file mode 100644
+index 0000000000..c764814b26
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+new file mode 100644
+index 0000000000..43ac341e87
+--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty
--- a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
+++ b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
@ -0,0 +1,308 @@
+From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Tue, 26 May 2020 17:49:21 +0200
+Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
+
+Affected rules:
+ - selinux_policytype
+ - selinux_state
+---
+ .../selinux/selinux_policytype/ansible/shared.yml |  9 ++-------
+ .../selinux/selinux_policytype/bash/shared.sh     |  5 +++--
+ .../tests/selinuxtype_minimum.fail.sh             | 10 ++++++++++
+ .../selinux/selinux_state/ansible/shared.yml      |  9 ++-------
+ .../system/selinux/selinux_state/bash/shared.sh   |  5 +++--
+ .../selinux_state/tests/selinux_missing.fail.sh   |  5 +++++
+ .../tests/selinux_permissive.fail.sh              | 10 ++++++++++
+ shared/macros-ansible.jinja                       | 11 +++++++++++
+ shared/macros-bash.jinja                          | 15 +++++++++++++++
+ 9 files changed, 61 insertions(+), 18 deletions(-)
+ create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+ create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+ create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+index 5c70cc9f7f..9f8cf66dfb 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+@@ -3,11 +3,6 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+ - (xccdf-var var_selinux_policy_name)
+ 
+-- name: "{{{ rule_title }}}"
+-  lineinfile:
+-    path: /etc/sysconfig/selinux
+-    regexp: '^SELINUXTYPE='
+-    line: "SELINUXTYPE={{ var_selinux_policy_name }}"
+-    create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+index d0fbbf4446..2b5ce31b12 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+@@ -1,7 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+-#
+
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+
+ populate var_selinux_policy_name
+ 
+-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+new file mode 100644
+index 0000000000..1a6eb94953
+--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
+diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+index b465ac6729..1c1560a86c 100644
+--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+@@ -3,11 +3,6 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+ - (xccdf-var var_selinux_state)
+ 
+-- name: "{{{ rule_title }}}"
+-  lineinfile:
+-    path: /etc/sysconfig/selinux
+-    regexp: '^SELINUX='
+-    line: "SELINUX={{ var_selinux_state }}"
+-    create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+index 58193b5504..a402a861d7 100644
+--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+@@ -1,10 +1,11 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+-#
+
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+
+ populate var_selinux_state
+ 
+-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
+ 
+ fixfiles onboot
+ fixfiles -f relabel
+diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+new file mode 100644
+index 0000000000..180dd80791
+--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
+diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+new file mode 100644
+index 0000000000..3db1e56b5f
+--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+	sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+	echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 6798a25d1f..01d3155b37 100644
+--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
+@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
+ {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+ {{%- endmacro %}}
+ 
+{{#
+  High level macro to set a parameter in /etc/selinux/config.
+  Parameters:
+  - msg: the name for the Ansible task
+  - parameter: parameter to be set in the configuration file
+  - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
+ {{#
+   Generates an Ansible task that puts 'contents' into a file at 'filepath'
+   Parameters:
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 3a94fe5dd8..2531d1c52d 100644
+--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
+@@ -86,6 +86,21 @@ populate {{{ name }}}
+     }}}
+ {{%- endmacro -%}}
+ 
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+        path="/etc/selinux/config",
+        parameter=parameter,
+        value=value,
+        create=true,
+        insert_after="",
+        insert_before="",
+        insensitive=true,
+        separator="=",
+        separator_regex="\s*=\s*",
+        prefix_regex="^\s*")
+    }}}
+{{%- endmacro -%}}
+
+ {{#
+ # Install a package
+ # Uses the right command based on pkg_manger proprerty defined in product.yaml.
+
+From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 27 May 2020 18:48:57 +0200
+Subject: [PATCH 2/2] Remediation requires reboot.
+
+Update OVAL check to disallow spaces.
+Removed selinuxtype_minimum test scenario since breaks the system.
+---
+ .../selinux/selinux_policytype/ansible/shared.yml      |  2 +-
+ .../system/selinux/selinux_policytype/bash/shared.sh   |  4 ++++
+ .../system/selinux/selinux_policytype/oval/shared.xml  |  2 +-
+ .../tests/selinuxtype_minimum.fail.sh                  | 10 ----------
+ .../guide/system/selinux/selinux_state/bash/shared.sh  |  4 ++++
+ .../guide/system/selinux/selinux_state/oval/shared.xml |  2 +-
+ shared/macros-ansible.jinja                            |  2 +-
+ shared/macros-bash.jinja                               |  4 ++--
+ 8 files changed, 14 insertions(+), 16 deletions(-)
+ delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+index 9f8cf66dfb..73e6ec7cd4 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+@@ -1,5 +1,5 @@
+ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+-# reboot = false
+# reboot = true
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+index 2b5ce31b12..b4f79c97f9 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+@@ -1,4 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+ 
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+index f1840a1290..3d69fff07f 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+@@ -27,7 +27,7 @@
+ 
+   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
+     <ind:filepath>/etc/selinux/config</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+    <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ </def-group>
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+deleted file mode 100644
+index 1a6eb94953..0000000000
+--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
+@@ -1,10 +0,0 @@
+-#!/bin/bash
+-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+-
+-SELINUX_FILE='/etc/selinux/config'
+-
+-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+-	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+-else
+-	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+-fi
+diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+index a402a861d7..645a7acab4 100644
+--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+@@ -1,4 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+ 
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+index c0881696e1..8c328060af 100644
+--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+@@ -18,7 +18,7 @@
+ 
+   <ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
+     <ind:filepath>/etc/selinux/config</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 01d3155b37..580a0b948e 100644
+--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
+@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
+   - value: value of the parameter
+ #}}
+ {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
+ {{%- endmacro %}}
+ 
+ {{#
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 2531d1c52d..8abcc914d3 100644
+--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
+@@ -96,8 +96,8 @@ populate {{{ name }}}
+         insert_before="",
+         insensitive=true,
+         separator="=",
+-        separator_regex="\s*=\s*",
+-        prefix_regex="^\s*")
+        separator_regex="=",
+        prefix_regex="^")
+     }}}
+ {{%- endmacro -%}}
+ 
--- a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
+++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
@ -0,0 +1,40 @@
+From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 23:36:18 +0200
+Subject: [PATCH] Ansible mount_option: split mount and option task
+
+Separate task that adds mount options mounts the mountpoint into two tasks.
+Conditioning the "mount" task on the absence of the target mount option
+caused the task to always be skipped when mount option was alredy present,
+and could result in the mount point not being mounted.
+---
+ shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
+index 95bede25f9..a0cf8d6b7a 100644
+--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
+@@ -26,14 +26,19 @@
+     - device_name.stdout is defined and device_name.stdout_lines is defined
+     - (device_name.stdout | length > 0)
+ 
+-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
+  set_fact:
+    mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
+  when:
+    - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
+   mount:
+     path: "{{{ MOUNTPOINT }}}"
+     src: "{{ mount_info.source }}"
+-    opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
+    opts: "{{ mount_info.options }}"
+     state: "mounted"
+     fstype: "{{ mount_info.fstype }}"
+   when:
+-    - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+     - device_name.stdout is defined
+     - (device_name.stdout | length > 0)
--- a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
+++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
@ -0,0 +1,33 @@
+From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 14 May 2020 16:46:07 +0200
+Subject: [PATCH] reorder groups because of permissions verification
+
+---
+ ssg/build_yaml.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
+index e3e138283c..c9f3179c08 100644
+--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
+@@ -700,6 +700,11 @@ def to_xml_element(self):
+         # audit_rules_privileged_commands, othervise the rule
+         # does not catch newly installed screeen binary during remediation
+         # and report fail
+        # the software group should come before the
+        # bootloader-grub2 group because of conflict between
+        # rules rpm_verify_permissions and file_permissions_grub2_cfg
+        # specific rules concerning permissions should
+        # be applied after the general rpm_verify_permissions
+         # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
+         # the firewalld_activation must come before ruleset_modifications, othervise
+         # remediations for ruleset_modifications won't work
+@@ -707,6 +712,7 @@ def to_xml_element(self):
+         # otherwise the remediation prints error although it is successful
+         priority_order = [
+             "accounts", "auditing",
+            "software", "bootloader-grub2",
+             "fips", "crypto",
+             "firewalld_activation", "ruleset_modifications",
+             "disabling_ipv6", "configuring_ipv6"
--- a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
+++ b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
@ -0,0 +1,171 @@
+From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 14 May 2020 01:20:53 +0200
+Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
+
+All paths in /etc/rsyslog.conf were taken as log files, but paths
+in lines containing "include" or "$IncludeConfig" are config files.
+
+Let's not take them in as log files
+---
+ .../rsyslog_files_permissions/oval/shared.xml          | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+index a78cd69df2..c74f3da3f5 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+@@ -87,8 +87,18 @@
+     -->
+     <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_ignore_include_paths</filter>
+   </ind:textfilecontent54_object>
+ 
+  <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+    <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+         include() or $IncludeConfig statements.
+         These paths are conf files, not log files. Their permissions don't need to be as
+         required for log files, thus, lets exclude them from the list of objects found
+    -->
+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+  </ind:textfilecontent54_state>
+
+   <!-- Define OVAL variable to hold all the various system log files locations
+        retrieved from the different rsyslog configuration files
+   -->
+
+From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 14 May 2020 00:16:37 +0200
+Subject: [PATCH 2/4] Fix permissions of files referenced by include()
+
+The remediation script also needs to parse the files included via
+"include()".
+The awk also takes into consideration the multiline aspect.
+---
+ .../rsyslog_files_permissions/bash/shared.sh                  | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index 6cbf0c6a24..dca35301e7 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
+ # * And also the log file paths listed after rsyslog's $IncludeConfig directive
+ #   (store the result into array for the case there's shell glob used as value of IncludeConfig)
+ readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+ 
+ # Browse each file selected above as containing paths of log files
+ # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
+ do
+ 	# From each of these files extract just particular log file path(s), thus:
+ 	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
+
+From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 15:53:58 +0200
+Subject: [PATCH 3/4] Make regex for include file more strict
+
+For some reason gensub in awk doesn't support non capturing group.
+So the group with OR is capturing and we substitute everyting with the
+second group, witch matches the file path.
+---
+ .../rsyslog_files_permissions/bash/shared.sh                    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+index dca35301e7..99d2d0e794 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
+ # * And also the log file paths listed after rsyslog's $IncludeConfig directive
+ #   (store the result into array for the case there's shell glob used as value of IncludeConfig)
+ readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+ 
+ # Declare an array to hold the final list of different log file paths
+ declare -a LOG_FILE_PATHS
+
+From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 16:55:02 +0200
+Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
+
+These three files basically work the same way
+---
+ .../rsyslog_files_groupownership/oval/shared.xml       | 10 ++++++++++
+ .../rsyslog_files_ownership/oval/shared.xml            | 10 ++++++++++
+ .../rsyslog_files_permissions/oval/shared.xml          |  4 ++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+index 5828f25321..9941e2b94f 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+@@ -86,8 +86,18 @@
+     -->
+     <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_groupownership_ignore_include_paths</filter>
+   </ind:textfilecontent54_object>
+ 
+  <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
+    <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+         include() or $IncludeConfig statements.
+         These paths are conf files, not log files. Their groupownership don't need to be as
+         required for log files, thus, lets exclude them from the list of objects found
+    -->
+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+  </ind:textfilecontent54_state>
+
+   <!-- Define OVAL variable to hold all the various system log files locations
+        retrieved from the different rsyslog configuration files
+   -->
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+index 3c46eab6d6..29dd1a989e 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+@@ -83,8 +83,18 @@
+     -->
+     <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_owner_ignore_include_paths</filter>
+   </ind:textfilecontent54_object>
+ 
+  <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
+    <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+         include() or $IncludeConfig statements.
+         These paths are conf files, not log files. Their owner don't need to be as
+         required for log files, thus, lets exclude them from the list of objects found
+    -->
+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+  </ind:textfilecontent54_state>
+
+   <!-- Define OVAL variable to hold all the various system log files locations
+        retrieved from the different rsyslog configuration files
+   -->
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+index c74f3da3f5..da37a15b8c 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+@@ -87,10 +87,10 @@
+     -->
+     <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-    <filter action="exclude">state_ignore_include_paths</filter>
+    <filter action="exclude">state_permissions_ignore_include_paths</filter>
+   </ind:textfilecontent54_object>
+ 
+-  <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+  <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
+     <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+          include() or $IncludeConfig statements.
+          These paths are conf files, not log files. Their permissions don't need to be as
--- a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
+++ b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -1,15 +1,26 @@
 Name:		scap-security-guide
-Version:	0.1.47
-Release:	2%{?dist}
+Version:	0.1.50
+Release:	6%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 Group:		Applications/System
 License:	BSD
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
-# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
+# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
 Patch0:		disable-not-in-good-shape-profiles.patch
-Patch1:		scap-security-guide-0.1.48-e8_kickstarts.patch
-Patch2:		scap-security-guide-0.1.48-e8_polish.patch
+Patch1:		scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
+Patch2:		scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
+Patch3:		scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
+Patch4:		scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
+Patch5:		scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
+# Patch6 already contains typo fix
+Patch6:		scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
+Patch7:		scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
+Patch8:		scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
+Patch9:		scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
+Patch10:		scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
+Patch11:		scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
+Patch12:		scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
 BuildArch:	noarch

 # To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -46,6 +57,16 @@ present in %{name} package.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 mkdir build

 %build
@ -80,6 +101,65 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html

 %changelog
+* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
+- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
+
+* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
+- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
+
+* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
+- CIS Ansible fixes (RHBZ#1760734)
+- HIPAA Ansible fixes (RHBZ#1832760)
+
+* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
+ - HIPAA Profile (RHBZ#1832760)
+  - Enable build of RHEL8 HIPAA Profile
+  - Add kickstarts for HIPAA
+- CIS Profile (RHBZ#1760734)
+  - Add Ansible fix for sshd_set_max_sessions
+  - Add CIS Profile content attribution to Center for Internet Security
+
+* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Fix Ansible for no_direct_root_logins
+- Fix Ansible template for SELinux booleans
+- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
+
+* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
+
+* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
+- Update to the latest upstream release (RHBZ#1815007)
+
+* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
+- Update to the latest upstream release (RHBZ#1815007)
+
+* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
+- Update baseline package list of OSPP profile
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
+- Rebuilt with correct spec file
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
+- Add SRG references to STIG rules (RHBZ#1755447)
+
+* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
+- Drop rsyslog rules from OSPP profile
+- Update COBIT URI
+- Add rules for strong source of RNG entropy
+- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
+- STIG profile: added rsyslog rules and updated SRG mappings
+- Split audit rules according to audit component (RHBZ#1791312)
+
+* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
+- Update crypto-policy test scenarios
+- Update max-path-len test to skip tests/logs directory
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
+- Fix list of tables that are generated for RHEL8
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
+- Update to latest upstream SCAP-Security-Guide-0.1.48 release
+
 * Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
 - Improved the e8 profile (RHBZ#1755194)