Update OSPP Profile

Resolves: rhbz#2016038
Resolves: rhbz#2043036
Resolves: rhbz#2020670
Resolves: rhbz#2046289

scap-security-guide-0.1.61-RC_244-PR_8133.patch

@@ -0,0 +1,24 @@
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index 9f036f83015..f94ddab2fe1 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -32,6 +32,7 @@ references:
+     cis@ubuntu2004: 4.1.1.4
+     disa: CCI-001849
+     nist: CM-6(a)
++    ospp: FAU_STG.1,FAU_STG.3
+     srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132
+     stigid@ol8: OL08-00-030602
+     stigid@rhel8: RHEL-08-030602
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 6d76e896ffc..7396b9167c6 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -25,6 +25,7 @@ identifiers:
+ 
+ references:
+     cis@ubuntu2004: 4.1.1.4
++    ospp: FAU_STG.1,FAU_STG.3
+ 
+ ocil_clause: 'audit backlog limit is not configured'
+ 

scap-security-guide-0.1.61-RC_246_250-PR_8070.patch

@@ -0,0 +1,26 @@
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
+index 5841f378fe6..f4780b4ae6d 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
+@@ -22,7 +22,7 @@ identifiers:
+ references:
+     disa: CCI-000366
+     nist: CM-6
+-    ospp: FAU_GEN.1.1.c
++    ospp: FAU_GEN.1
+     srg: SRG-OS-000062-GPOS-00031,SRG-OS-000480-GPOS-00227
+     stigid@ol8: OL08-00-030061
+     stigid@rhel8: RHEL-08-030061
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
+index ba60b9b2c98..19dc3320e85 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
+@@ -47,7 +47,7 @@ identifiers:
+ 
+ references:
+     nist: AU-2(a)
+-    ospp: FAU_GEN.1.1.c
++    ospp: FAU_GEN.1
+     srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220
+ 
+ ocil_clause: 'the file does not exist or the content differs'

scap-security-guide-0.1.61-RC_247-PR_8114.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
+index 6c39a05550c..f169cba9f6b 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
+@@ -21,7 +21,7 @@ identifiers:
+ 
+ references:
+     nist: CM-6
+-    ospp: FAU_GEN.1.1.c
++    ospp: FAU_STG.1
+     srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil_clause: write_logs isn't set to yes

scap-security-guide-0.1.61-RC_248_249-PR_8071.patch

@@ -0,0 +1,26 @@
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
+index 48ed2f31795..b536a68cf2a 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
+@@ -23,7 +23,7 @@ identifiers:
+ references:
+     disa: CCI-000366
+     nist: CM-6,AU-3
+-    ospp: FAU_GEN.1
++    ospp: FAU_GEN.1.2
+     srg: SRG-OS-000255-GPOS-00096,SRG-OS-000480-GPOS-00227
+     stigid@ol8: OL08-00-030063
+     stigid@rhel8: RHEL-08-030063
+diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+index a31e975c1c9..8da90cd760f 100644
+--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+@@ -24,7 +24,7 @@ identifiers:
+ references:
+     disa: CCI-001851
+     nist: CM-6,AU-3
+-    ospp: FAU_GEN.1
++    ospp: FAU_GEN.1.2
+     srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+     stigid@ol7: OL07-00-030211
+     stigid@ol8: OL08-00-030062

scap-security-guide-0.1.61-RC_251-PR_8072.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+index ac43b654188..70357c153be 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+@@ -37,7 +37,7 @@ identifiers:
+ references:
+     disa: CCI-000162
+     nist: AU-2(a)
+-    ospp: FAU_GEN.1.1.c
++    ospp: FAU_GEN.1.2
+     srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
+     stigid@ol8: OL08-00-030122
+     stigid@rhel8: RHEL-08-030122

scap-security-guide-0.1.61-RC_253-PR_8111.patch

@@ -0,0 +1,12 @@
+diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+index 5af94a56910..7968d90331e 100644
+--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+@@ -31,6 +31,7 @@ references:
+     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
+     nist: CM-6(a)
+     nist-csf: PR.PT-1
++    ospp: FTP_ITC_EXT.1.1
+     srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024,SRG-OS-000480-GPOS-00227
+     stigid@ol8: OL08-00-030670
+     stigid@rhel8: RHEL-08-030670

scap-security-guide-0.1.61-RC_254-PR_8113.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
+index d5d49bf7426..83c6d9339de 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
+@@ -29,7 +29,7 @@ references:
+     anssi: BP28(R43)
+     ism: 0988,1405
+     nist: AU-9(3),CM-6(a)
+-    ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
++    ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1,FIA_X509_EXT.1.1,FMT_SMF_EXT.1.1
+     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
+ 
+ ocil_clause: 'omfwd is not configured with gtls and AuthMode'

scap-security-guide-0.1.61-RC_255-PR_8112.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
+index 635207b571f..818f24718a0 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
+@@ -27,7 +27,7 @@ identifiers:
+ references:
+     anssi: BP28(R43)
+     ism: 0988,1405
+-    ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
++    ospp: FCS_TLSC_EXT.1
+     srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil_clause: 'CA certificate for rsyslog remote logging via TLS is not set'

scap-security-guide-0.1.61-RC_277_245-PR_8069.patch

@@ -0,0 +1,24 @@
+diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+index 8b36f0c2fa3..795089c8b83 100644
+--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
++++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+@@ -27,6 +27,7 @@ references:
+     nerc-cip: CIP-004-6 R3.3,CIP-007-3 R6.5
+     nist: AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a)
+     nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
++    ospp: FAU_GEN.1
+     srg: SRG-OS-000122-GPOS-00063,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031
+     stigid@ol8: OL08-00-030180
+     stigid@rhel8: RHEL-08-030180
+diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+index 320b69c3179..99edca3e270 100644
+--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+@@ -50,6 +50,7 @@ references:
+     nist: AC-2(g),AU-3,AU-10,AU-2(d),AU-12(c),AU-14(1),AC-6(9),CM-6(a),SI-4(23)
+     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
+     nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
++    ospp: FAU_GEN.1
+     pcidss: Req-10.1
+     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227,SRG-OS-000062-GPOS-00031
+     stigid@ol7: OL07-00-030000

scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch

@@ -0,0 +1,165 @@
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
+index 8a28af022a7..02c69bddd27 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_all
+ # reboot = false
+ # strategy = restrict
+ # complexity = high
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+index a7182849548..db89a5e47a1 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+@@ -31,6 +31,8 @@ rationale: |-
+     of initiating changes, including upgrades and modifications.
+ 
+ identifiers:
++    cce@rhel8: CCE-88692-9
++    cce@rhel9: CCE-88693-7
+     cce@sle12: CCE-83234-5
+     cce@sle15: CCE-85753-2
+ 
+@@ -40,6 +42,8 @@ references:
+     disa: CCI-001499
+     nerc-cip: CIP-003-8 R6
+     nist: CM-5,CM-5(6),CM-5(6).1
++    srg: SRG-OS-000259-GPOS-00100
++    stigid@rhel8: RHEL-08-010331
+     stigid@sle12: SLES-12-010872
+     stigid@sle15: SLES-15-010352
+     stigid@ubuntu2004: UBTU-20-010427
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+index af078463b05..6e957c302ac 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+ 	find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+index d58616bcafb..55ff9cebd4f 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+     chmod -R 755 "$dirPath"
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+index 98d18cde3ea..c2b5b6bf029 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
+ DIRS="/lib /lib64"
+ for dirPath in $DIRS; do
+ 	mkdir -p "$dirPath/testme" && chmod 777  "$dirPath/testme"
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+index 6df6e2f8f9b..40e6c42c829 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
+ DIRS="/usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+ 	mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
+diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
+index decba0087e8..920a55659fd 100644
+--- a/products/rhel8/profiles/cjis.profile
++++ b/products/rhel8/profiles/cjis.profile
+@@ -77,6 +77,7 @@ selections:
+     - accounts_password_pam_difok
+     - accounts_max_concurrent_login_sessions
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_libuserconf
+     - file_owner_etc_shadow
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 04f158116ee..5d98b1c894e 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -228,6 +228,9 @@ selections:
+     # RHEL-08-010330
+     - file_permissions_library_dirs
+ 
++    # RHEL-08-010331
++    - dir_permissions_library_dirs
++
+     # RHEL-08-010340
+     - file_ownership_library_dirs
+ 
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 8f79b22e3e4..2614504e9cd 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -229,6 +229,9 @@ selections:
+     # RHEL-08-010330
+     - file_permissions_library_dirs
+ 
++    # RHEL-08-010331
++    - dir_permissions_library_dirs
++
+     # RHEL-08-010340
+     - file_ownership_library_dirs
+ 
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 3f6ec5e17c4..4a926bce5de 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -2645,8 +2645,6 @@ CCE-88688-7
+ CCE-88689-5
+ CCE-88690-3
+ CCE-88691-1
+-CCE-88692-9
+-CCE-88693-7
+ CCE-88694-5
+ CCE-88695-2
+ CCE-88696-0
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index ed739e724f4..4df5c4a2e21 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -25,6 +25,7 @@ extends: null
+ metadata:
+     version: V1R4
+     SMEs:
++    - mab879
+     - ggbecker
+ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+ selections:
+@@ -180,6 +181,7 @@ selections:
+ - dconf_gnome_screensaver_idle_delay
+ - dconf_gnome_screensaver_lock_enabled
+ - dir_group_ownership_library_dirs
++- dir_permissions_library_dirs
+ - dir_perms_world_writable_root_owned
+ - dir_perms_world_writable_sticky_bits
+ - directory_group_ownership_var_log_audit
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 56c3fcb9f59..98746158aed 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -36,6 +36,7 @@ extends: null
+ metadata:
+     version: V1R4
+     SMEs:
++    - mab879
+     - ggbecker
+ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+ selections:
+@@ -191,6 +192,7 @@ selections:
+ - dconf_gnome_screensaver_idle_delay
+ - dconf_gnome_screensaver_lock_enabled
+ - dir_group_ownership_library_dirs
++- dir_permissions_library_dirs
+ - dir_perms_world_writable_root_owned
+ - dir_perms_world_writable_sticky_bits
+ - directory_group_ownership_var_log_audit

scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch

@@ -0,0 +1,57 @@
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+index 68b353965ec..ff106996f00 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+@@ -28,7 +28,7 @@ references:
+     cis@ubuntu2004: 1.4.1
+     cjis: 5.10.1.3
+     cobit5: APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06
+-    disa: CCI-002699,CCI-001744
++    disa: CCI-002696,CCI-002699,CCI-001744
+     isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
+     isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 4.1,SR 6.2,SR 7.6'
+     ism: 1034,1288,1341,1417
+@@ -36,9 +36,9 @@ references:
+     nist: CM-6(a)
+     nist-csf: DE.CM-1,DE.CM-7,PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3
+     pcidss: Req-11.5
+-    srg: SRG-OS-000363-GPOS-00150
++    srg: SRG-OS-000363-GPOS-00150,SRG-OS-000445-GPOS-00199
+     stigid@ol8: OL08-00-010360
+-    stigid@rhel8: RHEL-08-010360
++    stigid@rhel8: RHEL-08-010359
+     stigid@sle12: SLES-12-010500
+     stigid@sle15: SLES-15-010420
+     stigid@ubuntu2004: UBTU-20-010450
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index ff23f83cfbf..cb72403e81a 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -239,8 +239,10 @@ selections:
+     - root_permissions_syslibrary_files
+     - dir_group_ownership_library_dirs
+ 
+-    # RHEL-08-010360
++    # RHEL-08-010359
+     - package_aide_installed
++
++    # RHEL-08-010360
+     - aide_scan_notification
+ 
+     # RHEL-08-010370
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 31015d4b83c..93ecc404dc2 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -240,8 +240,10 @@ selections:
+     - root_permissions_syslibrary_files
+     - dir_group_ownership_library_dirs
+ 
+-    # RHEL-08-010360
++    # RHEL-08-010359
+     - package_aide_installed
++
++    # RHEL-08-010360
+     - aide_scan_notification
+ 
+     # RHEL-08-010370

scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+index 5353f60975c..69a36c4959a 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+@@ -43,7 +43,7 @@ references:
+     stigid@ol7: OL07-00-010270
+     stigid@ol8: OL08-00-020220
+     stigid@rhel7: RHEL-07-010270
+-    stigid@rhel8: RHEL-08-020220
++    stigid@rhel8: RHEL-08-020221
+     vmmsrg: SRG-OS-000077-VMM-000440
+ 
+ ocil_clause: |-

scap-security-guide-0.1.61-add_RHEL_08_040321-PR_8169.patch

@@ -0,0 +1,49 @@
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+index de0e359a44e..df56a30be80 100644
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+@@ -39,6 +39,7 @@ references:
+     nist: CM-7(a),CM-7(b),CM-6(a)
+     nist-csf: PR.AC-3,PR.PT-4
+     srg: SRG-OS-000480-GPOS-00227
++    stigid@rhel8: RHEL-08-040321
+ 
+ ocil_clause: 'the X windows display server is running and/or has not been disabled'
+ 
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 09fa85df181..ffca983d0bd 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -1169,6 +1169,9 @@ selections:
+     # RHEL-08-040320
+     - xwindows_remove_packages
+ 
++    # RHEL-08-040321
++    - xwindows_runlevel_target
++
+     # RHEL-08-040330
+     - network_sniffer_disabled
+ 
+diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
+index d1577215b07..d29ceb9c54e 100644
+--- a/products/rhel8/profiles/stig_gui.profile
++++ b/products/rhel8/profiles/stig_gui.profile
+@@ -35,3 +35,6 @@ extends: stig
+ selections:
+     # RHEL-08-040320
+     - '!xwindows_remove_packages'
++
++    # RHEL-08-040321
++    - '!xwindows_runlevel_target'
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 9c05c27117c..e4fee44f9f9 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -398,6 +398,7 @@ selections:
+ - usbguard_generate_policy
+ - wireless_disable_interfaces
+ - xwindows_remove_packages
++- xwindows_runlevel_target
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - var_accounts_user_umask=077

scap-security-guide-0.1.61-distributed-sshd-rekeylimit-PR_8148.patch

@@ -0,0 +1,282 @@
+From f7a2fb33ad1507ad4ce3f7ec6534c06d4f6a7e83 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 4 Feb 2022 12:02:36 +0100
+Subject: [PATCH 1/3] Add tests for distributed SSHD RekeyLimit config
+
+---
+ .../sshd_rekey_limit/tests/bad_size_directory.fail.sh | 10 ++++++++++
+ .../sshd_rekey_limit/tests/bad_time_directory.fail.sh | 10 ++++++++++
+ .../sshd_rekey_limit/tests/no_line_directory.fail.sh  |  8 ++++++++
+ .../sshd_rekey_limit/tests/rhel8_ok.pass.sh           |  2 +-
+ .../sshd_rekey_limit/tests/rhel9_ok.pass.sh           | 11 +++++++++++
+ 5 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
+new file mode 100644
+index 00000000000..88c6420c5ca
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
+@@ -0,0 +1,10 @@
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "RekeyLimit 812M 1h" > /etc/ssh/sshd_config.d/bad_config.conf
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
+new file mode 100644
+index 00000000000..3bb0926017c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
+@@ -0,0 +1,10 @@
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "RekeyLimit 512M 2h" > /etc/ssh/sshd_config.d/bad_config.conf
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
+new file mode 100644
+index 00000000000..00569de1b84
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
+@@ -0,0 +1,8 @@
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
+index b9834e6d0b2..894c0ae4ba8 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Enterprise Linux 8
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+ # profiles = xccdf_org.ssgproject.content_profile_ospp
+ 
+ sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
+new file mode 100644
+index 00000000000..e183e8986dc
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
+@@ -0,0 +1,11 @@
++# platform = Red Hat Enterprise Linux 9
++# profiles = xccdf_org.ssgproject.content_profile_ospp
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "RekeyLimit 1G 1h" >> /etc/ssh/sshd_config.d/good_config.conf
+
+From 782e3a6108ea377d526d0aed4e8c0cf019f3dcdd Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 4 Feb 2022 12:06:45 +0100
+Subject: [PATCH 2/3] Update rule to handle distributed config
+
+Based on the template sshd_lineinfile, updated rule sshd_rekey_limit to
+check and remediate SSHD configuration in products that support
+/etc/sshd/sshd_config.d/
+
+The rule cannot use the template as it relies on two external variables.
+---
+ .../sshd_rekey_limit/ansible/shared.yml       |  8 +++-
+ .../sshd_rekey_limit/bash/shared.sh           |  2 +-
+ .../sshd_rekey_limit/oval/shared.xml          | 46 ++++++++++++++-----
+ .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 10 +++-
+ 4 files changed, 50 insertions(+), 16 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+index 84a4f084d40..f30dcdb2ed3 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+@@ -5,4 +5,10 @@
+ # disruption = low
+ {{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+ 
+-{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}") }}}
++{{{
++    ansible_sshd_set(
++        parameter="RekeyLimit",
++        value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}",
++        config_is_distributed=sshd_distributed_config
++    )
++}}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+index 4422f63472c..789358472a1 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+@@ -2,4 +2,4 @@
+ 
+ {{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+ 
+-{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
++{{{ bash_sshd_remediation(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time", config_is_distributed=sshd_distributed_config) -}}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+index f49d9ab5275..e109cbd3124 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+@@ -1,26 +1,49 @@
+-{{% set filepath = "/etc/ssh/sshd_config" -%}}
+-
++{{%- set parameter = "RekeyLimit" %}}
++{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
++{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
++{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
++{{%- if sshd_distributed_config == "true" %}}
++{{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
++{{%- endif %}}
+ 
+ <def-group>
+   <definition class="compliance" id="{{{ rule_id }}}" version="1">
+-    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
+-    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+-        {{{- application_not_required_or_requirement_unset() }}}
+-        {{{- application_required_or_requirement_unset() }}}
+-        {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+-    </criteria>
+-    </criteria>
++  {{{ oval_metadata(description) }}}
++  <criteria comment="sshd is configured correctly or is not installed" operator="OR">
++    {{{- application_not_required_or_requirement_unset() }}}
++    {{{- application_required_or_requirement_unset() }}}
++      <criteria comment="sshd is configured corectly" operator="OR">
++        {{{- oval_line_in_file_criterion(sshd_config_path, parameter) }}}
++        {{%- if sshd_distributed_config %}}
++        {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter) | indent(8) }}}
++        {{%- endif %}}
++      </criteria>
++    </criteria><!-- macro application_required_or_requirement_unset() leaves an open criteria element-->
++  </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_sshd_rekey_limit" version="1">
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+      <ind:object object_ref="obj_sshd_rekey_limit"/>
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+-     <ind:filepath>{{{ filepath }}}</ind:filepath>
++     <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
++     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
++     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  {{%- if sshd_distributed_config %}}
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
++     <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
++     <ind:path>{{{ sshd_config_dir}}}</ind:path>
++     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+      <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
++  {{%- endif %}}
+ 
+   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+     <concat>
+@@ -35,4 +58,3 @@
+   <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
+   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
+ </def-group>
+-
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+index 450f244de41..702cd0506d3 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+@@ -6,8 +6,10 @@ description: |-
+     The <tt>RekeyLimit</tt> parameter specifies how often
+     the session key of the is renegotiated, both in terms of
+     amount of data that may be transmitted and the time
+-    elapsed. To decrease the default limits, put line
+-    <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
++    elapsed.<br/>
++    To decrease the default limits, add or correct the following line in
++    {{{ sshd_config_file() }}}
++    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
+ 
+ rationale: |-
+     By decreasing the limit based on the amount of data and enabling
+@@ -32,6 +34,10 @@ ocil_clause: 'it is commented out or is not set'
+ ocil: |-
+     To check if RekeyLimit is set correctly, run the
+     following command:
++    {{% if sshd_distributed_config == "true" %}}
++    <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre>
++    {{% else %}}
+     <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
++    {{% endif %}}
+     If configured properly, output should be
+     <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
+
+From 78d6d40f280b0e43e6c8fd7d60cfd81e7979fb8f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 9 Feb 2022 16:59:53 +0100
+Subject: [PATCH 3/3] Use the Jinja variable 'parameter' where applicable
+
+---
+ .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml       | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+index e109cbd3124..d79ac7f2047 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+@@ -1,7 +1,7 @@
+ {{%- set parameter = "RekeyLimit" %}}
+ {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+ {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+-{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
++{{%- set description = "Ensure {{{ parameter }}} is configured with the appropriate value in " ~ sshd_config_path %}}
+ {{%- if sshd_distributed_config == "true" %}}
+ {{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
+ {{%- endif %}}
+@@ -22,7 +22,7 @@
+   </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
+      <ind:object object_ref="obj_sshd_rekey_limit"/>
+   </ind:textfilecontent54_test>
+ 
+@@ -33,7 +33,7 @@
+   </ind:textfilecontent54_object>
+ 
+   {{%- if sshd_distributed_config %}}
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+      <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
+   </ind:textfilecontent54_test>
+ 
+@@ -47,7 +47,7 @@
+ 
+   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+     <concat>
+-      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
++      <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
+       <variable_component var_ref="var_rekey_limit_size"/>
+       <literal_component>[\s]+</literal_component>
+       <variable_component var_ref="var_rekey_limit_time"/>

scap-security-guide-0.1.61-file_groupowner-PR_7791.patch

@@ -0,0 +1,536 @@
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
+new file mode 100644
+index 00000000000..de85c892704
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
+@@ -0,0 +1,38 @@
++documentation_complete: true
++
++title: 'Audit Configuration Files Must Be Owned By Group root'
++
++description: |-
++    All audit configuration files must be owned by group root.
++    <pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>
++
++rationale: |-
++    Without the capability to restrict which roles and individuals can
++    select which events are audited, unauthorized personnel may be able
++    to prevent the auditing of critical events.
++    Misconfigured audits may degrade the system's performance by
++    overwhelming the audit log. Misconfigured audits may also make it more
++    difficult to establish, correlate, and investigate the events relating
++    to an incident or identify those responsible for one.
++
++severity: medium
++
++references:
++    disa: CCI-000171
++    srg: SRG-OS-000063-GPOS-00032
++    stigid@ubuntu2004: UBTU-20-010135
++
++ocil: |-
++    {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
++    {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
++
++template:
++    name: file_groupowner
++    vars:
++        filepath:
++            - /etc/audit/
++            - /etc/audit/rules.d/
++        file_regex:
++            - ^audit(\.rules|d\.conf)$
++            - ^.*\.rules$
++        filegid: '0'
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
+new file mode 100644
+index 00000000000..5235e0d05a3
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++
++export TESTFILE=/etc/audit/rules.d/test_rule.rules
++export AUDITFILE=/etc/audit/auditd.conf
++mkdir -p /etc/audit/rules.d/
++touch $TESTFILE
++touch $AUDITFILE
++chgrp root $TESTFILE
++chgrp root $AUDITFILE
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
+new file mode 100644
+index 00000000000..52378d810a5
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++
++groupadd group_test
++export TESTFILLE=/etc/audit/rules.d/test_rule.rules
++export AUDITFILE=/etc/audit/auditd.conf
++mkdir -p /etc/audit/rules.d/
++touch $TESTFILLE
++touch $AUDITFILE
++chgrp group_test $TESTFILLE
++chgrp group_test $AUDITFILE
+diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
+index 5e2cabafc34..927d08d03d4 100644
+--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
+@@ -1,8 +1,15 @@
++{{% if 'ubuntu' in product %}}
++{{% set gid = 'syslog' %}}
++{{% else %}}
++{{% set gid = 'root' %}}
++{{% endif %}}
++
++
+ documentation_complete: true
+ 
+ title: 'Verify Group Who Owns /var/log Directory'
+ 
+-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
++description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
+ 
+ rationale: |-
+     The <tt>/var/log</tt> directory contains files with logs of error
+@@ -22,13 +29,16 @@ references:
+     stigid@rhel8: RHEL-08-010260
+     stigid@ubuntu2004: UBTU-20-010417
+ 
+-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
+ 
+ ocil: |-
+-    {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
++    {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
+ 
+ template:
+     name: file_groupowner
+     vars:
+         filepath: /var/log/
+         filegid: '0'
++        filegid@ubuntu1604: '110'
++        filegid@ubuntu1804: '110'
++        filegid@ubuntu2004: '110'
+diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
+new file mode 100644
+index 00000000000..f654279fe54
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
+@@ -0,0 +1,27 @@
++documentation_complete: true
++
++title: 'Verify Group Who Owns /var/log/syslog File'
++
++description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
++
++rationale: |-
++    The <tt>/var/log/syslog</tt> file contains logs of error messages in
++    the system and should only be accessed by authorized personnel.
++
++severity: medium
++
++references:
++    disa: CCI-001314
++    srg: SRG-OS-000206-GPOS-00084
++    stigid@ubuntu2004: UBTU-20-010420
++
++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
++
++ocil: |-
++    {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
++
++template:
++    name: file_groupowner
++    vars:
++        filepath: /var/log/syslog
++        filegid: '4'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
+new file mode 100644
+index 00000000000..655b2cd1aef
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
+@@ -0,0 +1,65 @@
++documentation_complete: true
++
++prodtype: ubuntu2004
++
++title: 'Verify that system commands directories are group owned by root'
++
++description: |-
++    System commands files are stored in the following directories by default:
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/sbin
++    /usr/local/bin
++    /usr/local/sbin
++    </pre>
++    All these directories should be owned by the <tt>root</tt> group.
++    If the directory is found to be owned by a group other than root correct
++    its ownership with the following command:
++    <pre>$ sudo chgrp root <i>DIR</i></pre>
++
++rationale: |-
++    If the operating system allows any user to make changes to software
++    libraries, then those changes might be implemented without undergoing the
++    appropriate testing and approvals that are part of a robust change management
++    process.
++    This requirement applies to operating systems with software libraries
++    that are accessible and configurable, as in the case of interpreted languages.
++    Software libraries also include privileged programs which execute with
++    escalated privileges. Only qualified and authorized individuals must be
++    allowed to obtain access to information system components for purposes
++    of initiating changes, including upgrades and modifications.
++
++severity: medium
++
++references:
++    disa: CCI-001495
++    srg: SRG-OS-000258-GPOS-00099
++    stigid@ubuntu2004: UBTU-20-010425
++
++ocil_clause: 'any of these directories are not owned by root group'
++ 
++ocil: |-
++    System commands are stored in the following directories:
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/sbin
++    /usr/local/bin
++    /usr/local/sbin</pre>
++    For each of these directories, run the following command to find files not
++    owned by root group:
++    <pre>$ sudo find -L <i>$DIR</i> ! -group root -type d \;</pre>
++
++template:
++    name: file_groupowner
++    vars:
++        filepath:
++            - /bin/
++            - /sbin/
++            - /usr/bin/
++            - /usr/sbin/
++            - /usr/local/bin/
++            - /usr/local/sbin/
++        recursive: 'true'
++        filegid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
+deleted file mode 100644
+index 28df7839430..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
++++ /dev/null
+@@ -1,23 +0,0 @@
+-# platform = multi_platform_sle
+-# reboot = false
+-# strategy = restrict
+-# complexity = medium
+-# disruption = medium
+-- name: "Read list libraries without root ownership"
+-  find:
+-    paths:
+-      - "/usr/lib"
+-      - "/usr/lib64"
+-      - "/lib"
+-      - "/lib64"
+-    file_type: "directory"
+-  register: library_dirs_not_owned_by_root
+-
+-- name: "Set ownership of system library dirs to root"
+-  file:
+-    path: "{{ item.path }}"
+-    owner: "root"
+-    state: "directory"
+-    mode: "{{ item.mode }}"
+-  with_items: "{{ library_dirs_not_owned_by_root.files }}"
+-  when: library_dirs_not_owned_by_root.matched > 0
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
+new file mode 100644
+index 00000000000..f61a5f988dc
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
+@@ -0,0 +1,77 @@
++documentation_complete: true
++
++prodtype: ubuntu2004
++
++title: 'Verify that audit tools are owned by group root'
++
++description: |-
++    The {{{ full_name }}} operating system audit tools must have the proper
++    ownership configured to protected against unauthorized access.
++
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl root
++    /sbin/aureport root
++    /sbin/ausearch root
++    /sbin/autrace root
++    /sbin/auditd root
++    /sbin/audispd root
++    /sbin/augenrules root
++    </pre>
++
++    Audit tools needed to successfully view and manipulate audit information
++    system activity and records. Audit tools include custom queries and report
++    generators
++
++rationale: |-
++    Protecting audit information also includes identifying and protecting the
++    tools used to view and manipulate log data. Therefore, protecting audit
++    tools is necessary to prevent unauthorized operation on audit information.
++ 
++    Operating systems providing tools to interface with audit information
++    will leverage user permissions and roles identifying the user accessing the
++    tools and the corresponding rights the user enjoys to make access decisions
++    regarding the access to audit tools.
++
++severity: medium
++
++references:
++    disa: CCI-001493,CCI-001494
++    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
++    stigid@ubuntu2004: UBTU-20-010201
++
++ocil: |-
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl root
++    /sbin/aureport root
++    /sbin/ausearch root
++    /sbin/autrace root
++    /sbin/auditd root
++    /sbin/audispd root
++    /sbin/augenrules root
++    </pre>
++
++    If the command does not return all the above lines, the missing ones
++    need to be added.
++
++    Run the following command to correct the permissions of the missing
++    entries:
++    <pre>$ sudo chown :root [audit_tool] </pre>
++
++    Replace "[audit_tool]" with each audit tool not group-owned by root.
++
++template:
++    name: file_groupowner
++    vars:
++        filepath:
++            - /sbin/auditctl
++            - /sbin/aureport
++            - /sbin/ausearch
++            - /sbin/autrace
++            - /sbin/auditd
++            - /sbin/audispd
++            - /sbin/augenrules
++        filegid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+index bb7c72550e9..a9e8c7d8e25 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+ 
+ for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+ do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
+index 7cf507ca5f4..33a0c85d35b 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
+@@ -1,10 +1,12 @@
+ #!/bin/bash
+ 
++groupadd group_test
++
+ for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+ do
+    if [[ ! -f $TESTFILE ]]
+    then
+      touch $TESTFILE
+    fi
+-   chown nobody.nobody $TESTFILE
++   chgrp group_test $TESTFILE
+ done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
+deleted file mode 100644
+index 08019fd48bb..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
++++ /dev/null
+@@ -1,26 +0,0 @@
+-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
+-# reboot = false
+-# strategy = restrict
+-# complexity = high
+-# disruption = medium
+-
+-- name: "Read list libraries without root ownership"
+-  find:
+-    paths:
+-      - "/usr/lib"
+-      - "/usr/lib64"
+-      - "/lib"
+-      - "/lib64"
+-    file_type: "file"
+-  register: library_files_not_group_owned_by_root
+-
+-- name: "Set group ownership of system library files to root"
+-  file:
+-    path: "{{ item.path }}"
+-    group: "root"
+-    state: "file"
+-    mode: "{{ item.mode }}"
+-  with_items: "{{ library_files_not_group_owned_by_root.files }}"
+-  when:
+-    - library_files_not_group_owned_by_root.matched > 0
+-    - item.gid != 0
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
+deleted file mode 100644
+index 3a42beafb8a..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
++++ /dev/null
+@@ -1,7 +0,0 @@
+-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
+-
+-find /lib \
+-/lib64 \
+-/usr/lib \
+-/usr/lib64 \
+-\! -group root -type f -exec chgrp root '{}' \;
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+deleted file mode 100644
+index f5ca9380b55..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
++++ /dev/null
+@@ -1,27 +0,0 @@
+-<def-group>
+-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
+-    {{{ oval_metadata("
+-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+-        are owned by root.
+-      ") }}}
+-    <criteria >
+-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
+-    </criteria>
+-  </definition>
+-
+-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
+-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
+-  </unix:file_test>
+-
+-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
+-    <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+-        are owned by root. -->
+-    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
+-    <unix:filename operation="pattern match">^.*$</unix:filename>
+-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
+-  </unix:file_object>
+-
+-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
+-    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
+-  </unix:file_state>
+-</def-group>
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+index 17923f52ea6..eaf04c8d36c 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15
++prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: |-
+     Verify the system-wide library files in directories
+@@ -46,6 +46,7 @@ references:
+     stigid@rhel8: RHEL-08-010350
+     stigid@sle12: SLES-12-010875
+     stigid@sle15: SLES-15-010355
++    stigid@ubuntu2004: UBTU-20-01430
+ 
+ ocil_clause: 'system wide library files are not group owned by root'
+ 
+@@ -59,3 +60,14 @@ ocil: |-
+     To find if system-wide library files stored in these directories are not group-owned by
+     root run the following command for each directory <i>DIR</i>:
+     <pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
++
++template:
++    name: file_groupowner
++    vars:
++        filepath:
++            - /lib/
++            - /lib64/
++            - /usr/lib/
++            - /usr/lib64/
++        file_regex: ^.*$
++        filegid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+similarity index 86%
+rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+index a4ae2854db1..0e982c3b8ca 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+ 
+ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+ do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+similarity index 70%
+rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+index c96f65b989c..23a7703f57d 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+@@ -1,10 +1,11 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+ 
++groupadd group_test
+ for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+ do
+    if [[ ! -f $TESTFILE ]]
+    then
+      touch $TESTFILE
+    fi
+-   chown nobody.nobody $TESTFILE
++   chgrp group_test $TESTFILE
+ done
+diff --git a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
+index 938e6b30819..015ff98c99d 100644
+--- a/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
++++ b/shared/templates/file_groupowner/tests/missing_file_test.pass.sh
+@@ -1,8 +1,20 @@
+ #!/bin/bash
+ #
+ 
+-{{% if MISSING_FILE_PASS %}}
+-    rm -f {{{ FILEPATH }}}
+-{{% else %}}
+-    true
+-{{% endif %}}
++{{% for path in FILEPATH %}}
++    {{% if MISSING_FILE_PASS %}}
++        rm -f {{{ path }}}
++    {{% else %}}
++        {{% if IS_DIRECTORY and FILE_REGEX %}}
++        echo "Create specific tests for this rule because of regex"
++        {{% elif IS_DIRECTORY and RECURSIVE %}}
++        find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
++        {{% else %}}
++        if [ ! -f {{{ path }}} ]; then
++            mkdir -p "$(dirname '{{{ path }}}')"
++            touch {{{ path }}}
++        fi
++        chgrp {{{ FILEGID }}} {{{ path }}}
++        {{% endif %}}
++    {{% endif %}}
++{{% endfor %}}

scap-security-guide-0.1.61-file_owner-PR_7789.patch

@@ -0,0 +1,288 @@
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
+new file mode 100644
+index 00000000000..968ef336148
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
+@@ -0,0 +1,39 @@
++documentation_complete: true
++
++title: 'Audit Configuration Files Must Be Owned By Root'
++
++description: |-
++    All audit configuration files must be owned by root user.
++    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
++    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
++
++rationale: |-
++    Without the capability to restrict which roles and individuals can
++    select which events are audited, unauthorized personnel may be able
++    to prevent the auditing of critical events.
++    Misconfigured audits may degrade the system's performance by
++    overwhelming the audit log. Misconfigured audits may also make it more
++    difficult to establish, correlate, and investigate the events relating
++    to an incident or identify those responsible for one.
++
++severity: medium
++
++references:
++    disa: CCI-000171
++    srg: SRG-OS-000063-GPOS-00032
++    stigid@ubuntu2004: UBTU-20-010134
++
++ocil: |-
++    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
++    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
++
++template:
++    name: file_owner
++    vars:
++        filepath:
++            - /etc/audit/
++            - /etc/audit/rules.d/
++        file_regex:
++            - ^audit(\.rules|d\.conf)$
++            - ^.*\.rules$
++        fileuid: '0'
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
+new file mode 100644
+index 00000000000..4d67307a1ef
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# packages = audit
++
++chown 0 /etc/audit/audit.rules
++chown 0 /etc/audit/auditd.conf
++chown 0 -R /etc/audit/rules.d/
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
+new file mode 100644
+index 00000000000..337074fab92
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# packages = audit
++
++useradd testuser_123
++chown testuser_123 /etc/audit/audit.rules
++chown testuser_123 /etc/audit/auditd.conf
++chown testuser_123 -R /etc/audit/rules.d/
+diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
+new file mode 100644
+index 00000000000..f1bf515455d
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
+@@ -0,0 +1,27 @@
++documentation_complete: true
++
++title: 'Verify User Who Owns /var/log/syslog File'
++
++description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
++
++rationale: |-
++    The <tt>/var/log/syslog</tt> file contains logs of error messages in
++    the system and should only be accessed by authorized personnel.
++
++severity: medium
++
++references:
++    disa: CCI-001314
++    srg: SRG-OS-000206-GPOS-00084
++    stigid@ubuntu2004: UBTU-20-010421
++
++ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
++
++ocil: |-
++    {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
++
++template:
++    name: file_owner
++    vars:
++        filepath: /var/log/syslog
++        fileuid: '104'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+new file mode 100644
+index 00000000000..e2362388678
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+@@ -0,0 +1,55 @@
++documentation_complete: true
++
++title: 'Verify that System Executable Have Root Ownership'
++
++description: |-
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/sbin
++    /usr/local/bin
++    /usr/local/sbin</pre>
++    All these directories should be owned by the <tt>root</tt> user.
++    If any directory <i>DIR</i> in these directories is found
++    to be owned by a user other than root, correct its ownership with the
++    following command:
++    <pre>$ sudo chown root <i>DIR</i></pre>
++
++rationale: |-
++    System binaries are executed by privileged users as well as system services,
++    and restrictive permissions are necessary to ensure that their
++    execution of these programs cannot be co-opted.
++
++severity: medium
++
++references:
++    disa: CCI-001495
++    srg: SRG-OS-000258-GPOS-00099
++    stigid@ubuntu2004: UBTU-20-010424
++
++ocil_clause: 'any system exectables directories are found to not be owned by root'
++
++ocil: |-
++    System executables are stored in the following directories by default:
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/local/bin
++    /usr/local/sbin
++    /usr/sbin</pre>
++    For each of these directories, run the following command to find files
++    not owned by root:
++    <pre>$ sudo find -L <i>DIR/</i> ! -user root -type d -exec chown root {} \;</pre>
++
++template:
++    name: file_owner
++    vars:
++        filepath:
++            - /bin/
++            - /sbin/
++            - /usr/bin/
++            - /usr/sbin/
++            - /usr/local/bin/
++            - /usr/local/sbin/
++        recursive: 'true'
++        fileuid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
+new file mode 100644
+index 00000000000..0c7d9b313d5
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
+@@ -0,0 +1,77 @@
++documentation_complete: true
++
++prodtype: ubuntu2004
++
++title: 'Verify that audit tools are owned by root'
++
++description: |-
++    The {{{ full_name }}} operating system audit tools must have the proper
++    ownership configured to protected against unauthorized access.
++
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl root
++    /sbin/aureport root
++    /sbin/ausearch root
++    /sbin/autrace root
++    /sbin/auditd root
++    /sbin/audispd root
++    /sbin/augenrules root
++    </pre>
++
++    Audit tools needed to successfully view and manipulate audit information
++    system activity and records. Audit tools include custom queries and report
++    generators
++
++rationale: |-
++    Protecting audit information also includes identifying and protecting the
++    tools used to view and manipulate log data. Therefore, protecting audit
++    tools is necessary to prevent unauthorized operation on audit information.
++ 
++    Operating systems providing tools to interface with audit information
++    will leverage user permissions and roles identifying the user accessing the
++    tools and the corresponding rights the user enjoys to make access decisions
++    regarding the access to audit tools.
++
++severity: medium
++
++references:
++    disa: CCI-001493,CCI-001494
++    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
++    stigid@ubuntu2004: UBTU-20-010200
++
++ocil: |-
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl root
++    /sbin/aureport root
++    /sbin/ausearch root
++    /sbin/autrace root
++    /sbin/auditd root
++    /sbin/audispd root
++    /sbin/augenrules root
++    </pre>
++
++    If the command does not return all the above lines, the missing ones
++    need to be added.
++
++    Run the following command to correct the permissions of the missing
++    entries:
++    <pre>$ sudo chown root [audit_tool] </pre>
++
++    Replace "[audit_tool]" with each audit tool not owned by root.
++
++template:
++    name: file_owner
++    vars:
++        filepath:
++            - /sbin/auditctl
++            - /sbin/aureport
++            - /sbin/ausearch
++            - /sbin/autrace
++            - /sbin/auditd
++            - /sbin/audispd
++            - /sbin/augenrules
++        fileuid: '0'
+diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
+index 80eaae8d50b..590c9fc6055 100644
+--- a/shared/templates/file_owner/ansible.template
++++ b/shared/templates/file_owner/ansible.template
+@@ -25,7 +25,7 @@
+ 
+ - name: Ensure owner on {{{ path }}} recursively
+   file:
+-    paths "{{{ path }}}"
++    path: "{{{ path }}}"
+     state: directory
+     recurse: yes
+     owner: "{{{ FILEUID }}}"
+diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh
+index 938e6b30819..4e3683f9dcf 100644
+--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh
++++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh
+@@ -1,8 +1,18 @@
+ #!/bin/bash
+ #
+ 
+-{{% if MISSING_FILE_PASS %}}
+-    rm -f {{{ FILEPATH }}}
+-{{% else %}}
+-    true
+-{{% endif %}}
++{{% for path in FILEPATH %}}
++    {{% if MISSING_FILE_PASS %}}
++        rm -f {{{ path }}}
++    {{% else %}}
++        {{% if IS_DIRECTORY and RECURSIVE %}}
++        find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
++        {{% else %}}
++        if [ ! -f {{{ path }}} ]; then
++            mkdir -p "$(dirname '{{{ path }}}')"
++            touch {{{ path }}}
++        fi
++        chown {{{ FILEUID }}} {{{ path }}}
++        {{% endif %}}
++    {{% endif %}}
++{{% endfor %}}

scap-security-guide-0.1.61-file_permissions-PR_7788.patch

@@ -0,0 +1,409 @@
+diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
+new file mode 100644
+index 00000000000..93fd73e6ece
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
+@@ -0,0 +1,14 @@
++# platform = multi_platform_ubuntu
++
++readarray -t files < <(find /var/log/)
++for file in "${files[@]}"; do
++    if basename $file | grep -qE '^.*$'; then
++        chmod 0640 $file
++    fi
++done
++
++if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then
++    sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
++    sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
++    sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
++fi
+diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
+deleted file mode 100644
+index dd95ce05936..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
++++ /dev/null
+@@ -1,36 +0,0 @@
+-<def-group>
+-  <definition class="compliance" id="permissions_local_var_log" version="1">
+-    {{{ oval_metadata("
+-        Checks that files in /var/log have permission at least 0640
+-      ") }}}
+-    <criteria operator="AND">
+-      <criterion test_ref="test_mode_log_files" />
+-    </criteria>
+-  </definition>
+-
+-  <unix:file_test  check="all" check_existence="none_exist" comment="log file with less restrictive permission than 0640" id="test_mode_log_files" version="1">
+-    <unix:object object_ref="object_file_mode_log_files" />
+-  </unix:file_test>
+-
+-  <unix:file_object comment="log files" id="object_file_mode_log_files" version="1">
+-    <unix:path operation="pattern match">^\/var\/log\/</unix:path>
+-    <unix:filename operation="pattern match">^.*$</unix:filename>
+-    <filter action="include">log_files_permission_more_0640</filter>
+-    <filter action="exclude">var_log_symlinks</filter>
+-  </unix:file_object>
+-
+-  <unix:file_state id="log_files_permission_more_0640" version="1" operator="OR">
+-     <!-- if any one of these is true then mode is NOT 0640 (hence the OR operator) -->
+-    <unix:uexec datatype="boolean">true</unix:uexec>
+-    <unix:gwrite datatype="boolean">true</unix:gwrite>
+-    <unix:gexec datatype="boolean">true</unix:gexec>
+-    <unix:oread datatype="boolean">true</unix:oread>
+-    <unix:owrite datatype="boolean">true</unix:owrite>
+-    <unix:oexec datatype="boolean">true</unix:oexec>
+-  </unix:file_state>
+-
+-  <unix:file_state id="var_log_symlinks" version="1">
+-    <unix:type operation="equals">symbolic link</unix:type>
+-  </unix:file_state>
+-
+-</def-group>
+diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
+index 2b0431b7763..9ce79cfde4e 100644
+--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
+@@ -47,3 +47,10 @@ ocil: |-
+     <pre>
+     sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
+     </pre>
++
++template:
++    name: file_permissions
++    vars:
++        filepath: /var/log/
++        file_regex: '.*'
++        filemode: '0640'
+diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
+index 5317ef272b8..1793259cff5 100644
+--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
+@@ -1,5 +1,6 @@
+ #!/bin/bash
+ 
++chmod -R 640 /var/log
+ mkdir -p /var/log/testme
+ touch /var/log/testme/test.log
+ chmod 640 /var/log/testme/test.log
+diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
+index 83db1acf8d3..69b081473a5 100644
+--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
+ 
++chmod -R 640 /var/log/
+ mkdir -p /var/log/testme
+ chmod 777 /var/log/testme
+diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
+new file mode 100644
+index 00000000000..93962ea66a7
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
+@@ -0,0 +1,7 @@
++# platform = multi_platform_ubuntu
++
++chmod 0755 /var/log/
++
++if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
++    sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
++fi
+diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
+new file mode 100644
+index 00000000000..73258d40fdc
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
+@@ -0,0 +1,28 @@
++documentation_complete: true
++
++title: 'Verify Permissions on /var/log/syslog File'
++
++description: |-
++    {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}}
++
++rationale: |-
++    The <tt>/var/log/syslog</tt> file contains logs of error messages in
++    the system and should only be accessed by authorized personnel.
++
++severity: medium
++
++references:
++    disa: CCI-001314
++    srg: SRG-OS-000206-GPOS-00084
++    stigid@ubuntu2004: UBTU-20-010422
++
++ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}'
++
++ocil: |-
++    {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}
++
++template:
++    name: file_permissions
++    vars:
++        filepath: /var/log/syslog
++        filemode: '0640'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
+new file mode 100644
+index 00000000000..a666c768870
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
+@@ -0,0 +1,57 @@
++documentation_complete: true
++
++title: 'Verify that System Executable Directories Have Restrictive Permissions'
++
++description: |-
++    System executables are stored in the following directories by default:
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/sbin
++    /usr/local/bin
++    /usr/local/sbin</pre>
++    These directories should not be group-writable or world-writable.
++    If any directory <i>DIR</i> in these directories is found to be
++    group-writable or world-writable, correct its permission with the
++    following command:
++    <pre>$ sudo chmod go-w <i>DIR</i></pre>
++
++rationale: |-
++    System binaries are executed by privileged users, as well as system services,
++    and restrictive permissions are necessary to ensure execution of these programs
++    cannot be co-opted.
++
++severity: medium
++
++references:
++    disa: CCI-001495
++    srg: SRG-OS-000258-GPOS-00099
++    stigid@ubuntu2004: UBTU-20-010423
++
++ocil_clause: 'any of these files are group-writable or world-writable'
++
++ocil: |-
++    System executables are stored in the following directories by default:
++    <pre>/bin
++    /sbin
++    /usr/bin
++    /usr/sbin
++    /usr/local/bin
++    /usr/local/sbin</pre>
++    To find system executables directories that are group-writable or
++    world-writable, run the following command for each directory <i>DIR</i>
++    which contains system executables:
++    <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
++
++template:
++    name: file_permissions
++    vars:
++        filepath:
++            - /bin/
++            - /sbin/
++            - /usr/bin/
++            - /usr/sbin/
++            - /usr/local/bin/
++            - /usr/local/sbin/
++        recursive: 'true'
++        filemode: '0755'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+index 3f7239deef9..af078463b05 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_ubuntu
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+ 	find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+index 1f68586853d..d58616bcafb 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
+@@ -1,5 +1,6 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_ubuntu
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
++    chmod -R 755 "$dirPath"
+ 	mkdir -p "$dirPath/testme" && chmod 700  "$dirPath/testme"
+ done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+index b60a7269568..98d18cde3ea 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_ubuntu
+ DIRS="/lib /lib64"
+ for dirPath in $DIRS; do
+ 	mkdir -p "$dirPath/testme" && chmod 777  "$dirPath/testme"
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+index 5438b51bb6a..6df6e2f8f9b 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_ubuntu
+ DIRS="/usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+ 	mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
+new file mode 100644
+index 00000000000..da42e997478
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
+@@ -0,0 +1,78 @@
++documentation_complete: true
++
++prodtype: ubuntu2004
++
++title: 'Verify that audit tools Have Mode 0755 or less'
++
++description: |-
++    The {{{ full_name }}} operating system audit tools must have the proper
++    permissions configured to protected against unauthorized access.
++
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl 755
++    /sbin/aureport 755
++    /sbin/ausearch 755
++    /sbin/autrace 755
++    /sbin/auditd 755
++    /sbin/audispd 755
++    /sbin/augenrules 755
++    </pre>
++
++    Audit tools needed to successfully view and manipulate audit information
++    system activity and records. Audit tools include custom queries and report
++    generators
++
++rationale: |-
++    Protecting audit information also includes identifying and protecting the
++    tools used to view and manipulate log data. Therefore, protecting audit
++    tools is necessary to prevent unauthorized operation on audit information.
++ 
++    Operating systems providing tools to interface with audit information
++    will leverage user permissions and roles identifying the user accessing the
++    tools and the corresponding rights the user enjoys to make access decisions
++    regarding the access to audit tools.
++
++severity: medium
++
++references:
++    disa: CCI-001493,CCI-001494
++    srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098
++    stigid@ubuntu2004: UBTU-20-010199
++
++ocil: |-
++    Verify it by running the following command:
++    <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
++
++    /sbin/auditctl 755
++    /sbin/aureport 755
++    /sbin/ausearch 755
++    /sbin/autrace 755
++    /sbin/auditd 755
++    /sbin/audispd 755
++    /sbin/augenrules 755
++    </pre>
++
++    If the command does not return all the above lines, the missing ones
++    need to be added.
++
++    Run the following command to correct the permissions of the missing
++    entries:
++    <pre>$ sudo chmod 0755 [audit_tool] </pre>
++
++    Replace "[audit_tool]" with the audit tool that does not have the
++    correct permissions.
++
++template:
++    name: file_permissions
++    vars:
++        filepath:
++            - /sbin/auditctl
++            - /sbin/aureport
++            - /sbin/ausearch
++            - /sbin/autrace
++            - /sbin/auditd
++            - /sbin/audispd
++            - /sbin/augenrules
++        filemode: '0755'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
+index de2e1e98dfa..ab89b277a52 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle
++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
+ DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
+ for dirPath in $DIRS; do
+ 	find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
+new file mode 100644
+index 00000000000..59b8838581c
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++
++DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
++for dirPath in $DIRS; do
++    find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \;
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
+new file mode 100644
+index 00000000000..9d9ce30064b
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++
++DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
++for dirPath in $DIRS; do
++    find "$dirPath" -type f -exec chmod 0777 '{}' \;
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
+new file mode 100644
+index 00000000000..de388e63325
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++
++DIRS="/lib /lib64 /usr/lib /usr/lib64"
++for dirPath in $DIRS; do
++    chmod -R 755 "$dirPath"
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
+new file mode 100644
+index 00000000000..913e75e7b17
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++DIRS="/lib /lib64 /usr/lib /usr/lib64"
++for dirPath in $DIRS; do
++    find "$dirPath" -type d -exec chmod go-w '{}' \;
++    find "$dirPath" -type f -exec chmod go+w '{}' \;
++done
+diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
+index 89083e812c1..6b3616a7f42 100644
+--- a/shared/templates/file_permissions/oval.template
++++ b/shared/templates/file_permissions/oval.template
+@@ -67,6 +67,11 @@
+       #}}
+       <filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
+     {{%- endif %}}
++      <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
+   </unix:file_object>
+   {{% endfor %}}
++
++  <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
++    <unix:type operation="equals">symbolic link</unix:type>
++  </unix:file_state>
+ </def-group>

scap-security-guide-0.1.61-ospp-audit.conf-rules-PR_8188.patch

@@ -0,0 +1,22 @@
+From 1ff5b861e51e62602386524820b4382976540f03 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 9 Feb 2022 19:26:54 +0100
+Subject: [PATCH] drop not needed rules
+
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 065681d93a7..c3f4e2d26eb 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -149,8 +149,6 @@ selections:
+     - service_auditd_enabled
+     - var_auditd_flush=incremental_async
+     - auditd_data_retention_flush
+-    - auditd_local_events
+-    - auditd_write_logs
+     - auditd_log_format
+     - auditd_freq
+     - auditd_name_format

scap-security-guide-0.1.61-ospp-boot-parametersb-PR_8092.patch

@@ -0,0 +1,397 @@
+From 742e103392746dac771663247d169cfe498ee658 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 21 Jan 2022 14:02:16 +0100
+Subject: [PATCH 1/7] modify vsyscall rules according to rhel9 ospp
+
+add references
+make rules scored in th e profile
+---
+ .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml  | 1 +
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 3 +++
+ products/rhel9/profiles/ospp.profile                          | 4 ----
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+index 1dd26fea9b6..9f38a1c13b9 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+@@ -25,6 +25,7 @@ identifiers:
+ references:
+     disa: CCI-001084
+     nist: CM-7(a)
++    ospp: FPT_ASLR_EXT.1
+     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
+     stigid@ol8: OL08-00-010422
+     stigid@rhel8: RHEL-08-010422
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 52b192ffc52..9d645c8876e 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -21,6 +21,9 @@ identifiers:
+     cce@rhel8: CCE-83381-4
+     cce@rhel9: CCE-84100-7
+ 
++references:
++    ospp: FPT_ASLR_EXT.1
++
+ ocil_clause: 'vsyscalls are enabled'
+ 
+ ocil: |-
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 287a28c43c5..f0b850a4ced 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -128,8 +128,6 @@ selections:
+     - grub2_slub_debug_argument
+     - grub2_page_poison_argument
+     - grub2_vsyscall_argument
+-    - grub2_vsyscall_argument.role=unscored
+-    - grub2_vsyscall_argument.severity=info
+     - grub2_pti_argument
+     - grub2_kernel_trust_cpu_rng
+ 
+@@ -421,5 +419,3 @@ selections:
+     - zipl_slub_debug_argument
+     - zipl_page_poison_argument
+     - zipl_vsyscall_argument
+-    - zipl_vsyscall_argument.role=unscored
+-    - zipl_vsyscall_argument.severity=info
+
+From d167658d46accbc75200a5d145a746322f1c2d4a Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 21 Jan 2022 14:05:24 +0100
+Subject: [PATCH 2/7] add ospp references to fips rules
+
+---
+ .../software/integrity/fips/enable_dracut_fips_module/rule.yml  | 1 +
+ .../system/software/integrity/fips/enable_fips_mode/rule.yml    | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+index f342b9b8d95..3b7c3229b6f 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
++++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+@@ -29,6 +29,7 @@ references:
+     ism: "1446"
+     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
+     nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
++    ospp: FCS_RBG_EXT.1
+     srg: SRG-OS-000478-GPOS-00223
+     stigid@ol8: OL08-00-010020
+     stigid@rhel8: RHEL-08-010020
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+index 7559e61600d..9d89114b07f 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+@@ -39,7 +39,7 @@ references:
+     ism: "1446"
+     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
+     nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
+-    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
++    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1
+     srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176
+     stigid@ol8: OL08-00-010020
+     stigid@rhel8: RHEL-08-010020
+
+From f05e895bb96b64a5142e62e3dd0f7208633d5c23 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 21 Jan 2022 14:08:36 +0100
+Subject: [PATCH 3/7] drop no longer needed rules from ospp rhel9 profile
+
+---
+ products/rhel9/profiles/ospp.profile | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index f0b850a4ced..7e30054bc98 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -125,11 +125,7 @@ selections:
+     ## Boot prompt
+     - grub2_audit_argument
+     - grub2_audit_backlog_limit_argument
+-    - grub2_slub_debug_argument
+-    - grub2_page_poison_argument
+     - grub2_vsyscall_argument
+-    - grub2_pti_argument
+-    - grub2_kernel_trust_cpu_rng
+ 
+     ## Security Settings
+     - sysctl_kernel_kptr_restrict
+@@ -416,6 +412,4 @@ selections:
+     - zipl_bootmap_is_up_to_date
+     - zipl_audit_argument
+     - zipl_audit_backlog_limit_argument
+-    - zipl_slub_debug_argument
+-    - zipl_page_poison_argument
+     - zipl_vsyscall_argument
+
+From 972ae269eff95de8a6914056d38e58b7aeafb8c3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 21 Jan 2022 15:12:46 +0100
+Subject: [PATCH 4/7] add grub2_init_on_alloc rule
+
+---
+ .../grub2_init_on_alloc_argument/rule.yml     | 46 +++++++++++++++++++
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+new file mode 100644
+index 00000000000..592e2fb117d
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+@@ -0,0 +1,46 @@
++documentation_complete: true
++
++prodtype: rhel9
++
++title: 'Configure kernel to zero out memory before allocation (through Grub2)'
++
++description: |-
++    To configure the kernel to zero out memory before allocating it, add the
++    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
++    the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
++    below:
++    <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
++    Update the boot parameter for existing kernels by running the following command:
++    <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
++
++rationale: |-
++    When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
++    all page allocator and slab allocator memory will be zeroed when allocated,
++    eliminating many kinds of "uninitialized heap memory" flaws, effectively
++    preventing data leaks.
++
++severity: medium
++
++identifiers:
++    cce@rhel9: CCE-85867-0
++
++ocil_clause: 'the kernel is not configured to zero out memory before allocation'
++
++ocil: |-
++    Make sure that the kernel is configured to zero out memory before
++    allocation. Ensure that the parameter is configured in
++    <tt>/etc/default/grub</tt>:
++    <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
++    The output should contain <tt>init_on_alloc=1</tt>.
++    Run the following command to display command line parameters of all
++    installed kernels:
++    <pre># grubby --info=ALL | grep args</pre>
++    Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
++
++platform: machine
++
++template:
++    name: grub2_bootloader_argument
++    vars:
++        arg_name: init_on_alloc
++        arg_value: '1'
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 8aad24b20f7..6835189cd99 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -1,4 +1,3 @@
+-CCE-85867-0
+ CCE-85868-8
+ CCE-85872-0
+ CCE-85873-8
+
+From a865514257c85d79aaf7e4286d8723aa1ad8de03 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 24 Jan 2022 10:01:23 +0100
+Subject: [PATCH 5/7] add zipl_init_on_alloc_argument rule
+
+---
+ .../zipl_init_on_alloc_argument/rule.yml      | 41 +++++++++++++++++++
+ .../tests/correct_option.pass.sh              | 15 +++++++
+ .../tests/missing_in_cmdline.fail.sh          | 13 ++++++
+ .../tests/missing_in_entry.fail.sh            | 13 ++++++
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 5 files changed, 82 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
+new file mode 100644
+index 00000000000..b47a7757327
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
+@@ -0,0 +1,41 @@
++documentation_complete: true
++
++prodtype: rhel9
++
++title: 'Configure kernel to zero out memory before allocation (through zIPl)'
++
++description: |-
++    To ensure that the kernel is configured to zero out memory before
++    allocation, check that all boot entries in
++    <tt>/boot/loader/entries/*.conf</tt> have <tt>init_on_alloc=1</tt>
++    included in its options.<br />
++
++    To ensure that new kernels and boot entries continue to zero out memory
++    before allocation, add <tt>init_on_alloc=1</tt> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++    When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
++    all page allocator and slab allocator memory will be zeroed when allocated,
++    eliminating many kinds of "uninitialized heap memory" flaws, effectively
++    preventing data leaks.
++
++severity: medium
++
++identifiers:
++    cce@rhel9: CCE-85868-8
++
++ocil_clause: 'the kernel is not configured to zero out memory before allocation'
++
++ocil: |-
++  To check that the kernel is configured to zero out memory before allocation
++  time, check all boot entries with following command:
++  <pre>sudo grep -L"^options\s+.*\binit_on_alloc=1\b" /boot/loader/entries/*.conf</pre>
++  No line should be returned, each line returned is a boot entry that doesn't enable audit.
++
++platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: init_on_alloc
++    arg_value: '1'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
+new file mode 100644
+index 00000000000..50cf1b78f70
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh
+@@ -0,0 +1,15 @@
++#!/bin/bash
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
++
++# Make sure boot loader entries contain init_on_alloc=1
++for file in /boot/loader/entries/*.conf
++do
++    if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then
++        sed -i '/^options / s/$/ init_on_alloc=1/' "$file"
++    fi
++done
++
++# Make sure /etc/kernel/cmdline contains init_on_alloc=1
++if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then
++    echo "init_on_alloc=1" >> /etc/kernel/cmdline
++fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
+new file mode 100644
+index 00000000000..7c0d9154776
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
++
++# Make sure boot loader entries contain init_on_alloc=1
++for file in /boot/loader/entries/*.conf
++do
++    if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then
++        sed -i '/^options / s/$/ init_on_alloc=1/' "$file"
++    fi
++done
++
++# Make sure /etc/kernel/cmdline doesn't contain init_on_alloc=1
++sed -Ei 's/(^.*)init_on_alloc=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
+new file mode 100644
+index 00000000000..9d330c9192d
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
++
++# Remove init_on_alloc=1 from all boot entries
++sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/*
++# But make sure one boot loader entry contains init_on_alloc=1
++sed -i '/^options / s/$/ init_on_alloc=1/' /boot/loader/entries/*rescue.conf
++sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
++
++# Make sure /etc/kernel/cmdline contains init_on_alloc=1
++if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then
++    echo "init_on_alloc=1" >> /etc/kernel/cmdline
++fi
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 6835189cd99..05a641aeaf0 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -1,4 +1,3 @@
+-CCE-85868-8
+ CCE-85872-0
+ CCE-85873-8
+ CCE-85874-6
+
+From 9ca5ec04e734941b1c401369b6da6672b42824b1 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 24 Jan 2022 10:07:24 +0100
+Subject: [PATCH 6/7] add new rules to rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 7e30054bc98..28c7e92d298 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -126,6 +126,7 @@ selections:
+     - grub2_audit_argument
+     - grub2_audit_backlog_limit_argument
+     - grub2_vsyscall_argument
++    - grub2_init_on_alloc_argument
+ 
+     ## Security Settings
+     - sysctl_kernel_kptr_restrict
+@@ -413,3 +414,4 @@ selections:
+     - zipl_audit_argument
+     - zipl_audit_backlog_limit_argument
+     - zipl_vsyscall_argument
++    - zipl_init_on_alloc_argument
+
+From 42a118bcc615051ae4cd268a5fc758aa5d75108d Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 27 Jan 2022 14:08:20 +0100
+Subject: [PATCH 7/7] make rule names consistent
+
+---
+ .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml      | 2 +-
+ .../system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+index 592e2fb117d..a9253c74cc6 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+@@ -2,7 +2,7 @@ documentation_complete: true
+ 
+ prodtype: rhel9
+ 
+-title: 'Configure kernel to zero out memory before allocation (through Grub2)'
++title: 'Configure kernel to zero out memory before allocation'
+ 
+ description: |-
+     To configure the kernel to zero out memory before allocating it, add the
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
+index b47a7757327..fa272250a28 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
+@@ -2,7 +2,7 @@ documentation_complete: true
+ 
+ prodtype: rhel9
+ 
+-title: 'Configure kernel to zero out memory before allocation (through zIPl)'
++title: 'Configure kernel to zero out memory before allocation in zIPL'
+ 
+ description: |-
+     To ensure that the kernel is configured to zero out memory before

scap-security-guide-0.1.61-ospp-remove-kernel-disable-rules-PR_8093.patch

@@ -0,0 +1,25 @@
+From e38df8801bd2c1bb1e419151f4f0fe8923287bfc Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 24 Jan 2022 10:13:13 +0100
+Subject: [PATCH] drop rules
+
+---
+ products/rhel9/profiles/ospp.profile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 287a28c43c5..436ea1f3a49 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -161,11 +161,8 @@ selections:
+     - auditd_name_format
+ 
+     ### Module Blacklist
+-    - kernel_module_cramfs_disabled
+     - kernel_module_bluetooth_disabled
+     - kernel_module_sctp_disabled
+-    - kernel_module_firewire-core_disabled
+-    - kernel_module_atm_disabled
+     - kernel_module_can_disabled
+     - kernel_module_tipc_disabled
+ 

scap-security-guide-0.1.61-pwquality-PR_8185.patch

@@ -0,0 +1,855 @@
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
+new file mode 100644
+index 00000000000..b44c91cbf4a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
+@@ -0,0 +1,150 @@
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = medium
++
++- name: Check for existing pam_pwquality.so entry
++  ansible.builtin.lineinfile:
++    path: "/etc/pam.d/password-auth"
++    create: no
++    regexp: '^password.*pam_pwquality.so.*'
++    state: absent
++  check_mode: true
++  changed_when: false
++  register: result_pam_pwquality_present
++
++- name: Check if system relies on authselect
++  ansible.builtin.stat:
++    path: /usr/bin/authselect
++  register: result_authselect_present
++
++- name: "Remediation where authselect tool is present"
++  block:
++    - name: Check the integrity of the current authselect profile
++      ansible.builtin.command:
++        cmd: authselect check
++      register: result_authselect_check_cmd
++      changed_when: false
++      ignore_errors: true
++
++    - name: Informative message based on the authselect integrity check result
++      ansible.builtin.assert:
++        that:
++          - result_authselect_check_cmd is success
++        fail_msg:
++        - authselect integrity check failed. Remediation aborted!
++        - This remediation could not be applied because the authselect profile is not intact.
++        - It is not recommended to manually edit the PAM files when authselect is available.
++        - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
++        success_msg:
++        - authselect integrity check passed
++
++    - name: Get authselect current profile
++      ansible.builtin.shell:
++        cmd: authselect current -r | awk '{ print $1 }'
++      register: result_authselect_profile
++      changed_when: false
++      when:
++        - result_authselect_check_cmd is success
++
++    - name: Define the current authselect profile as a local fact
++      ansible.builtin.set_fact:
++        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
++        authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_profile.stdout is match("custom/")
++
++    - name: Define the new authselect custom profile as a local fact
++      ansible.builtin.set_fact:
++        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
++        authselect_custom_profile: "custom/hardening"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_profile.stdout is not match("custom/")
++
++    - name: Get authselect current features to also enable them in the custom profile
++      ansible.builtin.shell:
++        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
++      register: result_authselect_features
++      changed_when: false
++      when:
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++
++    - name: Check if any custom profile with the same name was already created in the past
++      ansible.builtin.stat:
++        path: /etc/authselect/{{ authselect_custom_profile }}
++      register: result_authselect_custom_profile_present
++      changed_when: false
++      when:
++        - authselect_current_profile is not match("custom/")
++
++    - name: Create a custom profile based on the current profile
++      ansible.builtin.command:
++        cmd: authselect create-profile hardening -b sssd
++      when:
++        - result_authselect_check_cmd is success
++        - authselect_current_profile is not match("custom/")
++        - not result_authselect_custom_profile_present.stat.exists
++
++    - name: Ensure the desired configuration is present in the custom profile
++      ansible.builtin.lineinfile:
++        dest: "/etc/authselect/{{ authselect_custom_profile }}/password-auth"
++        insertbefore: ^password.*sufficient.*pam_unix.so.*
++        line: "password    requisite                                    pam_pwquality.so"
++      when:
++        - result_authselect_profile is not skipped
++        - result_pam_pwquality_present.found == 0
++
++    - name: Ensure a backup of current authselect profile before selecting the custom profile
++      ansible.builtin.command:
++        cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
++      register: result_authselect_backup
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++        - authselect_custom_profile is not match(authselect_current_profile)
++
++    - name: Ensure the custom profile is selected
++      ansible.builtin.command:
++        cmd: authselect select {{ authselect_custom_profile }} --force
++      register: result_pam_authselect_select_profile
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++        - authselect_custom_profile is not match(authselect_current_profile)
++
++    - name: Restore the authselect features in the custom profile
++      ansible.builtin.command:
++        cmd: authselect enable-feature {{ item }}
++      loop: "{{ result_authselect_features.stdout_lines }}"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_features is not skipped
++        - result_pam_authselect_select_profile is not skipped
++
++    - name: Ensure the custom profile changes are applied
++      ansible.builtin.command:
++        cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++  when:
++  - result_authselect_present.stat.exists
++
++# For systems without authselect
++- name: "Remediation where authselect tool is not present and PAM files are directly edited"
++  block:
++    - name: Ensure the desired configuration is present in the custom profile
++      ansible.builtin.lineinfile:
++        dest: "/etc/pam.d/password-auth"
++        insertbefore: ^password.*sufficient.*pam_unix.so.*
++        line: "password    requisite                                    pam_pwquality.so"
++      when:
++        - result_pam_pwquality_present.found == 0
++  when:
++    - not result_authselect_present.stat.exists
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
+new file mode 100644
+index 00000000000..d2fca2a79ca
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
+@@ -0,0 +1,41 @@
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
++
++PAM_FILE="password-auth"
++
++if [ -f /usr/bin/authselect ]; then
++    if authselect check; then
++        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
++        # Standard profiles delivered with authselect should not be modified.
++        # If not already in use, a custom profile is created preserving the enabled features.
++        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
++            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
++            authselect create-profile hardening -b $CURRENT_PROFILE
++            CURRENT_PROFILE="custom/hardening"
++            # Ensure a backup before changing the profile
++            authselect apply-changes -b --backup=before-pwquality-hardening.backup
++            authselect select $CURRENT_PROFILE
++            for feature in $ENABLED_FEATURES; do
++                authselect enable-feature $feature;
++            done
++        fi
++        # Include the desired configuration in the custom profile
++        CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
++        # The line should be included on the top password section
++		if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
++  		  sed -i --follow-symlinks '0,/^password.*/s/^password.*/password    requisite                                    pam_pwquality.so\n&/' $CUSTOM_FILE
++		fi
++        authselect apply-changes -b --backup=after-pwquality-hardening.backup
++    else
++        echo "
++authselect integrity check failed. Remediation aborted!
++This remediation could not be applied because the authselect profile is not intact.
++It is not recommended to manually edit the PAM files when authselect is available.
++In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
++        false
++    fi
++else
++    FILE_PATH="/etc/pam.d/$PAM_FILE"
++    if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
++        sed -i --follow-symlinks '0,/^password.*/s/^password.*/password    requisite                                    pam_pwquality.so\n&/' $FILE_PATH
++    fi
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
+new file mode 100644
+index 00000000000..84f32456beb
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
+@@ -0,0 +1,21 @@
++<def-group>
++  <definition class="compliance" id="{{{ rule_id }}}" version="1">
++    {{{ oval_metadata("The PAM module pam_pwquality is used in password-auth") }}}
++    <criteria comment="Condition for pam_pwquality in password-auth is satisfied">
++      <criterion comment="pam_pwquality password-auth"
++                 test_ref="test_accounts_password_pam_pwquality_password_auth"/>
++      </criteria>
++  </definition>
++
++  <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_password_auth" version="1">
++    <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
++    <ind:instance datatype="int" operation="equals">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
++                              id="test_accounts_password_pam_pwquality_password_auth"
++                              comment="check the configuration of /etc/pam.d/password-auth">
++    <ind:object object_ref="object_accounts_password_pam_pwquality_password_auth"/>
++  </ind:textfilecontent54_test>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+new file mode 100644
+index 00000000000..6c7bb1ad7a0
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+@@ -0,0 +1,35 @@
++documentation_complete: true
++
++prodtype: fedora,rhel7,rhel8,rhel9,rhv4
++
++title: 'Ensure PAM password complexity module is enabled in password-auth'
++
++description: |-
++    To enable PAM password complexity in password-auth file:
++    Edit the <tt>password</tt> section in
++    <tt>/etc/pam.d/password-auth</tt> to show
++    <tt>password    requisite                                    pam_pwquality.so</tt>.
++
++rationale: |-
++    Enabling PAM password complexity permits to enforce strong passwords and consequently
++    makes the system less prone to dictionary attacks.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-85876-1
++    cce@rhel8: CCE-85877-9
++    cce@rhel9: CCE-85878-7
++
++references:
++    stigid@rhel8: RHEL-08-020100
++
++ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
++
++ocil: |-
++    To check if pam_pwhistory.so is enabled in password-auth, run the following command:
++    <pre>$ grep pam_pwquality /etc/pam.d/password-auth</pre></pre>
++    The output should be similar to the following:
++    <pre>password    requisite                                    pam_pwquality.so</pre>
++
++platform: pam
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
+new file mode 100644
+index 00000000000..3d696c36b76
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
++sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
+new file mode 100644
+index 00000000000..0435899262b
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
++if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
++    sed -i --follow-symlinks '0,/^password.*/s/^password.*/password     requisite   pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
++fi
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
+new file mode 100644
+index 00000000000..472616a51f6
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
++sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
+new file mode 100644
+index 00000000000..59f9d6f77c4
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++# remediation = none
++
++SYSTEM_AUTH_FILE="/etc/pam.d/password-auth"
++
++# This modification will break the integrity checks done by authselect.
++sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
+new file mode 100644
+index 00000000000..71f87b19045
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# packages = pam
++# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
++
++config_file=/etc/pam.d/password-auth
++if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
++    sed -i --follow-symlinks '0,/^password.*/s/^password.*/password		requisite	pam_pwquality.so\n&/' $config_file
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
+new file mode 100644
+index 00000000000..95b73b24d26
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
++# packages = pam
++
++config_file=/etc/pam.d/password-auth
++
++sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
+new file mode 100644
+index 00000000000..13cd20458ed
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
+@@ -0,0 +1,150 @@
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = medium
++
++- name: Check for existing pam_pwquality.so entry
++  ansible.builtin.lineinfile:
++    path: "/etc/pam.d/system-auth"
++    create: no
++    regexp: '^password.*pam_pwquality.so.*'
++    state: absent
++  check_mode: true
++  changed_when: false
++  register: result_pam_pwquality_present
++
++- name: Check if system relies on authselect
++  ansible.builtin.stat:
++    path: /usr/bin/authselect
++  register: result_authselect_present
++
++- name: "Remediation where authselect tool is present"
++  block:
++    - name: Check the integrity of the current authselect profile
++      ansible.builtin.command:
++        cmd: authselect check
++      register: result_authselect_check_cmd
++      changed_when: false
++      ignore_errors: true
++
++    - name: Informative message based on the authselect integrity check result
++      ansible.builtin.assert:
++        that:
++          - result_authselect_check_cmd is success
++        fail_msg:
++        - authselect integrity check failed. Remediation aborted!
++        - This remediation could not be applied because the authselect profile is not intact.
++        - It is not recommended to manually edit the PAM files when authselect is available.
++        - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
++        success_msg:
++        - authselect integrity check passed
++
++    - name: Get authselect current profile
++      ansible.builtin.shell:
++        cmd: authselect current -r | awk '{ print $1 }'
++      register: result_authselect_profile
++      changed_when: false
++      when:
++        - result_authselect_check_cmd is success
++
++    - name: Define the current authselect profile as a local fact
++      ansible.builtin.set_fact:
++        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
++        authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_profile.stdout is match("custom/")
++
++    - name: Define the new authselect custom profile as a local fact
++      ansible.builtin.set_fact:
++        authselect_current_profile: "{{ result_authselect_profile.stdout }}"
++        authselect_custom_profile: "custom/hardening"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_profile.stdout is not match("custom/")
++
++    - name: Get authselect current features to also enable them in the custom profile
++      ansible.builtin.shell:
++        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
++      register: result_authselect_features
++      changed_when: false
++      when:
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++
++    - name: Check if any custom profile with the same name was already created in the past
++      ansible.builtin.stat:
++        path: /etc/authselect/{{ authselect_custom_profile }}
++      register: result_authselect_custom_profile_present
++      changed_when: false
++      when:
++        - authselect_current_profile is not match("custom/")
++
++    - name: Create a custom profile based on the current profile
++      ansible.builtin.command:
++        cmd: authselect create-profile hardening -b sssd
++      when:
++        - result_authselect_check_cmd is success
++        - authselect_current_profile is not match("custom/")
++        - not result_authselect_custom_profile_present.stat.exists
++
++    - name: Ensure the desired configuration is present in the custom profile
++      ansible.builtin.lineinfile:
++        dest: "/etc/authselect/{{ authselect_custom_profile }}/system-auth"
++        insertbefore: ^password.*sufficient.*pam_unix.so.*
++        line: "password    requisite                                    pam_pwquality.so"
++      when:
++        - result_authselect_profile is not skipped
++        - result_pam_pwquality_present.found == 0
++
++    - name: Ensure a backup of current authselect profile before selecting the custom profile
++      ansible.builtin.command:
++        cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
++      register: result_authselect_backup
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++        - authselect_custom_profile is not match(authselect_current_profile)
++
++    - name: Ensure the custom profile is selected
++      ansible.builtin.command:
++        cmd: authselect select {{ authselect_custom_profile }} --force
++      register: result_pam_authselect_select_profile
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++        - authselect_current_profile is not match("custom/")
++        - authselect_custom_profile is not match(authselect_current_profile)
++
++    - name: Restore the authselect features in the custom profile
++      ansible.builtin.command:
++        cmd: authselect enable-feature {{ item }}
++      loop: "{{ result_authselect_features.stdout_lines }}"
++      when:
++        - result_authselect_profile is not skipped
++        - result_authselect_features is not skipped
++        - result_pam_authselect_select_profile is not skipped
++
++    - name: Ensure the custom profile changes are applied
++      ansible.builtin.command:
++        cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
++      when:
++        - result_authselect_check_cmd is success
++        - result_authselect_profile is not skipped
++  when:
++  - result_authselect_present.stat.exists
++
++# For systems without authselect
++- name: "Remediation where authselect tool is not present and PAM files are directly edited"
++  block:
++    - name: Ensure the desired configuration is present in the custom profile
++      ansible.builtin.lineinfile:
++        dest: "/etc/pam.d/system-auth"
++        insertbefore: ^password.*sufficient.*pam_unix.so.*
++        line: "password    requisite                                    pam_pwquality.so"
++      when:
++        - result_pam_pwquality_present.found == 0
++  when:
++    - not result_authselect_present.stat.exists
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
+new file mode 100644
+index 00000000000..9a7972a3f93
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
+@@ -0,0 +1,41 @@
++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
++
++PAM_FILE="system-auth"
++
++if [ -f /usr/bin/authselect ]; then
++    if authselect check; then
++        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
++        # Standard profiles delivered with authselect should not be modified.
++        # If not already in use, a custom profile is created preserving the enabled features.
++        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
++            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
++            authselect create-profile hardening -b $CURRENT_PROFILE
++            CURRENT_PROFILE="custom/hardening"
++            # Ensure a backup before changing the profile
++            authselect apply-changes -b --backup=before-pwquality-hardening.backup
++            authselect select $CURRENT_PROFILE
++            for feature in $ENABLED_FEATURES; do
++                authselect enable-feature $feature;
++            done
++        fi
++        # Include the desired configuration in the custom profile
++        CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
++        # The line should be included on the top password section
++		if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
++  		  sed -i --follow-symlinks '0,/^password.*/s/^password.*/password    requisite                                    pam_pwquality.so\n&/' $CUSTOM_FILE
++		fi
++        authselect apply-changes -b --backup=after-pwquality-hardening.backup
++    else
++        echo "
++authselect integrity check failed. Remediation aborted!
++This remediation could not be applied because the authselect profile is not intact.
++It is not recommended to manually edit the PAM files when authselect is available.
++In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
++        false
++    fi
++else
++    FILE_PATH="/etc/pam.d/$PAM_FILE"
++    if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
++        sed -i --follow-symlinks '0,/^password.*/s/^password.*/password    requisite                                    pam_pwquality.so\n&/' $FILE_PATH
++    fi
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
+new file mode 100644
+index 00000000000..f8d241f1ff2
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
+@@ -0,0 +1,21 @@
++<def-group>
++  <definition class="compliance" id="{{{ rule_id }}}" version="1">
++    {{{ oval_metadata("The PAM module pam_pwquality is used in system-auth") }}}
++    <criteria comment="Condition for pam_pwquality in system-auth is satisfied">
++      <criterion comment="pam_pwquality system-auth"
++                 test_ref="test_accounts_password_pam_pwquality_system_auth"/>
++      </criteria>
++  </definition>
++
++  <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_system_auth" version="1">
++    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
++    <ind:instance datatype="int" operation="equals">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" version="1"
++                              id="test_accounts_password_pam_pwquality_system_auth"
++                              comment="check the configuration of /etc/pam.d/system-auth">
++    <ind:object object_ref="object_accounts_password_pam_pwquality_system_auth"/>
++  </ind:textfilecontent54_test>
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+new file mode 100644
+index 00000000000..ea42ff9b07a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+@@ -0,0 +1,35 @@
++documentation_complete: true
++
++prodtype: fedora,rhel7,rhel8,rhel9,rhv4
++
++title: 'Ensure PAM password complexity module is enabled in system-auth'
++
++description: |-
++    To enable PAM password complexity in system-auth file:
++    Edit the <tt>password</tt> section in
++    <tt>/etc/pam.d/system-auth</tt> to show
++    <tt>password    requisite                                    pam_pwquality.so</tt>.
++
++rationale: |-
++    Enabling PAM password complexity permits to enforce strong passwords and consequently
++    makes the system less prone to dictionary attacks.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-85874-6
++    cce@rhel8: CCE-85872-0
++    cce@rhel9: CCE-85873-8
++
++references:
++    stigid@rhel8: RHEL-08-020101
++
++ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
++
++ocil: |-
++    To check if pam_pwhistory.so is enabled in system-auth, run the following command:
++    <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre></pre>
++    The output should be similar to the following:
++    <pre>password    requisite                                    pam_pwquality.so</pre>
++
++platform: pam
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
+new file mode 100644
+index 00000000000..849f16d0f93
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
++sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
+new file mode 100644
+index 00000000000..6a98c244980
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
++if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
++    sed -i --follow-symlinks '0,/^password.*/s/^password.*/password     requisite   pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
++fi
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
+new file mode 100644
+index 00000000000..6786f6c13d7
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++
++authselect create-profile hardening -b sssd
++CUSTOM_PROFILE="custom/hardening"
++authselect select $CUSTOM_PROFILE --force
++
++CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
++sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
++authselect apply-changes -b
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
+new file mode 100644
+index 00000000000..b3d9e5884f5
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# packages = authselect
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
++# remediation = none
++
++SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
++
++# This modification will break the integrity checks done by authselect.
++sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
+new file mode 100644
+index 00000000000..71f87b19045
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# packages = pam
++# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
++
++config_file=/etc/pam.d/password-auth
++if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
++    sed -i --follow-symlinks '0,/^password.*/s/^password.*/password		requisite	pam_pwquality.so\n&/' $config_file
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
+new file mode 100644
+index 00000000000..3c8f6f79fe9
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
++# packages = pam
++
++config_file=/etc/pam.d/system-auth
++
++sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+index eeb55a6ff5c..6b2219a3eab 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+@@ -6,13 +6,16 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
+ 
+ description: |-
+     To configure the number of retry prompts that are permitted per-session:
++    {{% if product in ['rhel8', 'rhel9'] %}}
++    Edit the <tt>/etc/security/pwquality.conf</tt> to include
++    {{% else %}}
+     Edit the <tt>pam_pwquality.so</tt> statement in
+     {{% if 'ubuntu' not in product %}}
+-    <tt>/etc/pam.d/system-auth</tt> {{% if product in ['rhel8', 'rhel9'] %}} and
+-    <tt>/etc/pam.d/password-auth</tt> {{% endif %}} to show
++    <tt>/etc/pam.d/system-auth</tt> to show
+     {{% else %}}
+     <tt>/etc/pam.d/common-password</tt> to show
+     {{% endif %}}
++    {{% endif %}}
+     <tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
+     policy is more restrictive. The DoD requirement is a maximum of 3 prompts
+     per session.
+@@ -48,17 +51,21 @@ references:
+     stigid@ol7: OL07-00-010119
+     stigid@ol8: OL08-00-020100
+     stigid@rhel7: RHEL-07-010119
+-    stigid@rhel8: RHEL-08-020100
++    stigid@rhel8: RHEL-08-020104
+     stigid@ubuntu2004: UBTU-20-010057
+ 
+ ocil_clause: 'it is not the required value'
+ 
+ ocil: |-
+     To check how many retry attempts are permitted on a per-session basis, run the following command:
++    {{% if product in ['rhel8', 'rhel9'] %}}
++    <pre>$ grep retry /etc/security/pwquality.conf</pre>
++    {{% else %}}
+     {{% if 'ubuntu' in product %}}
+     <pre>$ grep pam_pwquality /etc/pam.d/common-password</pre>
+     {{% else %}}
+-    <pre>$ grep pam_pwquality /etc/pam.d/system-auth {{% if product in ['rhel8', 'rhel9'] %}}/etc/pam.d/password-auth{{% endif %}}</pre>
++    <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
++    {{% endif %}}
+     {{% endif %}}
+     The <tt>retry</tt> parameter will indicate how many attempts are permitted.
+     The DoD required value is less than or equal to 3.
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index d92bc72971c..62fc512f05e 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -523,6 +523,20 @@ selections:
+     - sssd_enable_certmap
+ 
+     # RHEL-08-020100
++    - accounts_password_pam_pwquality_password_auth
++
++    # RHEL-08-020101
++    - accounts_password_pam_pwquality_system_auth
++
++    # RHEL-08-020102
++    # This is only required for RHEL8 systems below version 8.4 where the
++    # retry parameter was not yet available on /etc/security/pwquality.conf.
++
++    # RHEL-08-020103
++    # This is only required for RHEL8 systems below version 8.4 where the
++    # retry parameter was not yet available on /etc/security/pwquality.conf.
++
++    # RHEL-08-020104
+     - accounts_password_pam_retry
+ 
+     # RHEL-08-020110
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 42c6d0e9aca..ad08a6d3410 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -524,6 +524,20 @@ selections:
+     - sssd_enable_certmap
+ 
+     # RHEL-08-020100
++    - accounts_password_pam_pwquality_password_auth
++
++    # RHEL-08-020101
++    - accounts_password_pam_pwquality_system_auth
++
++    # RHEL-08-020102
++    # This is only required for RHEL8 systems below version 8.4 where the
++    # retry parameter was not yet available on /etc/security/pwquality.conf.
++
++    # RHEL-08-020103
++    # This is only required for RHEL8 systems below version 8.4 where the
++    # retry parameter was not yet available on /etc/security/pwquality.conf.
++
++    # RHEL-08-020104
+     - accounts_password_pam_retry
+ 
+     # RHEL-08-020110
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index e4fee44f9f9..33e82401c3d 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -53,6 +53,8 @@ selections:
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
++- accounts_password_pam_pwquality_password_auth
++- accounts_password_pam_pwquality_system_auth
+ - accounts_password_pam_retry
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_unix_rounds_password_auth
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 83d04775e3a..5beeb4f28af 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -64,6 +64,8 @@ selections:
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
++- accounts_password_pam_pwquality_password_auth
++- accounts_password_pam_pwquality_system_auth
+ - accounts_password_pam_retry
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_unix_rounds_password_auth

scap-security-guide-0.1.61-remove_RHEL_08_010560-PR_8145.patch

@@ -0,0 +1,44 @@
+diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml
+index d7821c2e3b8..fe6b0f01186 100644
+--- a/controls/stig_rhel8.yml
++++ b/controls/stig_rhel8.yml
+@@ -584,11 +584,6 @@ controls:
+         rules:
+             - sshd_disable_root_login
+         status: automated
+-    -   id: RHEL-08-010560
+-        levels:
+-            - medium
+-        title: The auditd service must be running in RHEL 8.
+-        status: pending
+     -   id: RHEL-08-010561
+         levels:
+             - medium
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 7c89bcbf659..09fa85df181 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -368,9 +368,6 @@ selections:
+     # RHEL-08-010550
+     - sshd_disable_root_login
+ 
+-    # RHEL-08-010560
+-    - service_auditd_enabled
+-
+     # RHEL-08-010561
+     - service_rsyslog_enabled
+ 
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 690991f697b..eb2cac913bd 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -369,9 +369,6 @@ selections:
+     # RHEL-08-010550
+     - sshd_disable_root_login
+ 
+-    # RHEL-08-010560
+-    - service_auditd_enabled
+-
+     # RHEL-08-010561
+     - service_rsyslog_enabled
+ 

scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch

@@ -0,0 +1,106 @@
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index d92bc72971c..98cabee38dd 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -51,7 +51,7 @@ selections:
+     - var_password_pam_lcredit=1
+     - var_password_pam_retry=3
+     - var_password_pam_minlen=15
+-    - var_sshd_set_keepalive=0
++    # - var_sshd_set_keepalive=0
+     - sshd_approved_macs=stig
+     - sshd_approved_ciphers=stig
+     - sshd_idle_timeout_value=10_minutes
+@@ -170,11 +170,13 @@ selections:
+     # RHEL-08-010190
+     - dir_perms_world_writable_sticky_bits
+ 
+-    # RHEL-08-010200
+-    - sshd_set_keepalive_0
+-
+-    # RHEL-08-010201
+-    - sshd_set_idle_timeout
++    # These two items don't behave as they used to in RHEL8.6 and RHEL9
++    # anymore. They will be disabled for now until an alternative
++    # solution is found.
++    # # RHEL-08-010200
++    # - sshd_set_keepalive_0
++    # # RHEL-08-010201
++    # - sshd_set_idle_timeout
+ 
+     # RHEL-08-010210
+     - file_permissions_var_log_messages
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 42c6d0e9aca..842f17c7021 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -52,7 +52,7 @@ selections:
+     - var_password_pam_lcredit=1
+     - var_password_pam_retry=3
+     - var_password_pam_minlen=15
+-    - var_sshd_set_keepalive=0
++    # - var_sshd_set_keepalive=0
+     - sshd_approved_macs=stig
+     - sshd_approved_ciphers=stig
+     - sshd_idle_timeout_value=10_minutes
+@@ -171,11 +171,13 @@ selections:
+     # RHEL-08-010190
+     - dir_perms_world_writable_sticky_bits
+ 
+-    # RHEL-08-010200
+-    - sshd_set_keepalive_0
+-
+-    # RHEL-08-010201
+-    - sshd_set_idle_timeout
++    # These two items don't behave as they used to in RHEL8.6 and RHEL9
++    # anymore. They will be disabled for now until an alternative
++    # solution is found.
++    # # RHEL-08-010200
++    # - sshd_set_keepalive_0
++    # # RHEL-08-010201
++    # - sshd_set_idle_timeout
+ 
+     # RHEL-08-010210
+     - file_permissions_var_log_messages
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index e4fee44f9f9..e3c8ebfc9a5 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -353,8 +353,6 @@ selections:
+ - sshd_enable_warning_banner
+ - sshd_print_last_log
+ - sshd_rekey_limit
+-- sshd_set_idle_timeout
+-- sshd_set_keepalive_0
+ - sshd_use_strong_rng
+ - sshd_x11_use_localhost
+ - sssd_certificate_verification
+@@ -423,7 +421,6 @@ selections:
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - var_password_pam_retry=3
+-- var_sshd_set_keepalive=0
+ - sshd_approved_macs=stig
+ - sshd_approved_ciphers=stig
+ - sshd_idle_timeout_value=10_minutes
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 83d04775e3a..8ef48e0654b 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -364,8 +364,6 @@ selections:
+ - sshd_enable_warning_banner
+ - sshd_print_last_log
+ - sshd_rekey_limit
+-- sshd_set_idle_timeout
+-- sshd_set_keepalive_0
+ - sshd_use_strong_rng
+ - sshd_x11_use_localhost
+ - sssd_certificate_verification
+@@ -432,7 +430,6 @@ selections:
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - var_password_pam_retry=3
+-- var_sshd_set_keepalive=0
+ - sshd_approved_macs=stig
+ - sshd_approved_ciphers=stig
+ - sshd_idle_timeout_value=10_minutes

scap-security-guide-0.1.61-rhel86_ospp_fix_audit_ospp_general-PR_8152.patch

@@ -0,0 +1,285 @@
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
+index 09dc1566bbf..26c7eea79d1 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
+@@ -6,10 +6,10 @@ title: 'Configure auditing of unsuccessful file accesses'
+ 
+ {{% set file_contents_audit_access_failed =
+ "## Unsuccessful file access (any other opens) This has to go last.
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}}
+ 
+ description: |-
+     Ensure that unsuccessful attempts to access a file are audited.
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
+index 5ce9fe6799c..262cf290ec0 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
+@@ -7,8 +7,8 @@ title: 'Configure auditing of successful file accesses'
+ {{% set file_contents_audit_access_success =
+ "## Successful file access (any other opens) This has to go last.
+ ## These next two are likely to result in a whole lot of events
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}}
+ 
+ description: |-
+     Ensure that successful attempts to access a file are audited.
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
+index e37291c68a1..bdc59faa5f7 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
+@@ -4,7 +4,7 @@ prodtype: ol8,rhcos4,rhel8,rhel9
+ 
+ title: 'Perform general configuration of Audit for OSPP'
+ 
+-{{% if product == "rhel9" %}}
++
+ {{% set file_contents_audit_ospp_general =
+ "## The purpose of these rules is to meet the requirements for Operating
+ ## System Protection Profile (OSPP)v4.2. These rules depends on having
+@@ -90,89 +90,7 @@ title: 'Perform general configuration of Audit for OSPP'
+ ## state results from that policy. This would be handled entirely by
+ ## that daemon.
+ " %}}
+-{{% else %}}
+-{{% set file_contents_audit_ospp_general =
+-"## The purpose of these rules is to meet the requirements for Operating
+-## System Protection Profile (OSPP)v4.2. These rules depends on having
+-## the following rule files copied to /etc/audit/rules.d:
+-##
+-## 10-base-config.rules, 11-loginuid.rules,
+-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+-## 30-ospp-v42-5-perm-change-failed.rules,
+-## 30-ospp-v42-5-perm-change-success.rules,
+-## 30-ospp-v42-6-owner-change-failed.rules,
+-## 30-ospp-v42-6-owner-change-success.rules
+-##
+-## original copies may be found in /usr/share/audit/sample-rules/
+-
+-
+-## User add delete modify. This is covered by pam. However, someone could
+-## open a file and directly create or modify a user, so we'll watch passwd and
+-## shadow for writes
+--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-
+-## User enable and disable. This is entirely handled by pam.
+-
+-## Group add delete modify. This is covered by pam. However, someone could
+-## open a file and directly create or modify a user, so we'll watch group and
+-## gshadow for writes
+--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-
+ 
+-## Use of special rights for config changes. This would be use of setuid
+-## programs that relate to user accts. This is not all setuid apps because
+-## requirements are only for ones that affect system configuration.
+--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-
+-## Privilege escalation via su or sudo. This is entirely handled by pam.
+-
+-## Audit log access
+--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+-## Attempts to Alter Process and Session Initiation Information
+--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-
+-## Attempts to modify MAC controls
+--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+-
+-## Software updates. This is entirely handled by rpm.
+-
+-## System start and shutdown. This is entirely handled by systemd
+-
+-## Kernel Module loading. This is handled in 43-module-load.rules
+-
+-## Application invocation. The requirements list an optional requirement
+-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+-## state results from that policy. This would be handled entirely by
+-## that daemon.
+-" %}}
+-{{% endif %}}
+ 
+ description: |-
+     Configure some basic <tt>Audit</tt> parameters specific for OSPP profile. 
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
+index ffe2344db56..c59e7e5e1f2 100644
+--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
+@@ -1,3 +1,3 @@
+-# platform = Red Hat Enterprise Linux 8
++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+ 
+ cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/
+diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
+deleted file mode 100644
+index 96ef5ae0a23..00000000000
+--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules_rhel9.pass.sh
++++ /dev/null
+@@ -1,3 +0,0 @@
+-# platform = Red Hat Enterprise Linux 9
+-
+-cp $SHARED/audit/30-ospp-v42_rhel9.rules /etc/audit/rules.d/30-ospp-v42.rules
+diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
+index a5aad3a95ce..39ac7a883ca 100644
+--- a/tests/shared/audit/30-ospp-v42-3-access-failed.rules
++++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
+@@ -1,5 +1,5 @@
+ ## Unsuccessful file access (any other opens) This has to go last.
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules
+index 0c8a6b65760..79004ce0c21 100644
+--- a/tests/shared/audit/30-ospp-v42-3-access-success.rules
++++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules
+@@ -1,4 +1,4 @@
+ ## Successful file access (any other opens) This has to go last.
+ ## These next two are likely to result in a whole lot of events
+--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
++-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules
+index 3dced17255c..2d3c48265b6 100644
+--- a/tests/shared/audit/30-ospp-v42.rules
++++ b/tests/shared/audit/30-ospp-v42.rules
+@@ -57,6 +57,10 @@
+ 
+ ## Privilege escalation via su or sudo. This is entirely handled by pam.
+ 
++## Watch for configuration changes to privilege escalation.
++-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
++-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
++
+ ## Audit log access
+ -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+ ## Attempts to Alter Process and Session Initiation Information
+diff --git a/tests/shared/audit/30-ospp-v42_rhel9.rules b/tests/shared/audit/30-ospp-v42_rhel9.rules
+deleted file mode 100644
+index 2d3c48265b6..00000000000
+--- a/tests/shared/audit/30-ospp-v42_rhel9.rules
++++ /dev/null
+@@ -1,84 +0,0 @@
+-## The purpose of these rules is to meet the requirements for Operating
+-## System Protection Profile (OSPP)v4.2. These rules depends on having
+-## the following rule files copied to /etc/audit/rules.d:
+-##
+-## 10-base-config.rules, 11-loginuid.rules,
+-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+-## 30-ospp-v42-5-perm-change-failed.rules,
+-## 30-ospp-v42-5-perm-change-success.rules,
+-## 30-ospp-v42-6-owner-change-failed.rules,
+-## 30-ospp-v42-6-owner-change-success.rules
+-##
+-## original copies may be found in /usr/share/audit/sample-rules/
+-
+-
+-## User add delete modify. This is covered by pam. However, someone could
+-## open a file and directly create or modify a user, so we'll watch passwd and
+-## shadow for writes
+--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-
+-## User enable and disable. This is entirely handled by pam.
+-
+-## Group add delete modify. This is covered by pam. However, someone could
+-## open a file and directly create or modify a user, so we'll watch group and
+-## gshadow for writes
+--a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+--a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+--a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-
+-
+-## Use of special rights for config changes. This would be use of setuid
+-## programs that relate to user accts. This is not all setuid apps because
+-## requirements are only for ones that affect system configuration.
+--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-
+-## Privilege escalation via su or sudo. This is entirely handled by pam.
+-
+-## Watch for configuration changes to privilege escalation.
+--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+-
+-## Audit log access
+--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+-## Attempts to Alter Process and Session Initiation Information
+--a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+--a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-
+-## Attempts to modify MAC controls
+--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+-
+-## Software updates. This is entirely handled by rpm.
+-
+-## System start and shutdown. This is entirely handled by systemd
+-
+-## Kernel Module loading. This is handled in 43-module-load.rules
+-
+-## Application invocation. The requirements list an optional requirement
+-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+-## state results from that policy. This would be handled entirely by
+-## that daemon.
+-

scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch

@@ -0,0 +1,493 @@
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+index a0b3efcbf79..1bc7afbb224 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+@@ -58,7 +58,7 @@ references:
+     stigid@ol7: OL07-00-030410
+     stigid@ol8: OL08-00-030540
+     stigid@rhel7: RHEL-07-030420
+-    stigid@rhel8: RHEL-08-030540
++    stigid@rhel8: RHEL-08-030490
+     stigid@sle12: SLES-12-020470
+     stigid@sle15: SLES-15-030300
+     stigid@ubuntu2004: UBTU-20-010153
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+index 83dd57f2b6d..dc8211684f2 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+@@ -58,7 +58,7 @@ references:
+     stigid@ol7: OL07-00-030410
+     stigid@ol8: OL08-00-030530
+     stigid@rhel7: RHEL-07-030430
+-    stigid@rhel8: RHEL-08-030530
++    stigid@rhel8: RHEL-08-030490
+     stigid@sle12: SLES-12-020480
+     stigid@sle15: SLES-15-030310
+     stigid@ubuntu2004: UBTU-20-010154
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+index 1b78aab4a1a..07592bb2fd9 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+@@ -61,7 +61,7 @@ references:
+     stigid@ol7: OL07-00-030370
+     stigid@ol8: OL08-00-030520
+     stigid@rhel7: RHEL-07-030380
+-    stigid@rhel8: RHEL-08-030520
++    stigid@rhel8: RHEL-08-030480
+     stigid@sle12: SLES-12-020430
+     stigid@sle15: SLES-15-030260
+     stigid@ubuntu2004: UBTU-20-010149
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+index 360c60de06d..084970765b2 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+@@ -58,7 +58,7 @@ references:
+     stigid@ol7: OL07-00-030370
+     stigid@ol8: OL08-00-030510
+     stigid@rhel7: RHEL-07-030400
+-    stigid@rhel8: RHEL-08-030510
++    stigid@rhel8: RHEL-08-030480
+     stigid@sle12: SLES-12-020450
+     stigid@sle15: SLES-15-030280
+     stigid@ubuntu2004: UBTU-20-010150
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+index 19bf8a5b981..5695440ad7d 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+@@ -75,7 +75,7 @@ references:
+     stigid@ol7: OL07-00-030440
+     stigid@ol8: OL08-00-030240
+     stigid@rhel7: RHEL-07-030480
+-    stigid@rhel8: RHEL-08-030240
++    stigid@rhel8: RHEL-08-030200
+     stigid@sle12: SLES-12-020410
+     stigid@sle15: SLES-15-030210
+     stigid@ubuntu2004: UBTU-20-010147
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+index 40cd114042e..ab536a8ae0a 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+@@ -70,7 +70,7 @@ references:
+     stigid@ol7: OL07-00-030440
+     stigid@ol8: OL08-00-030230
+     stigid@rhel7: RHEL-07-030450
+-    stigid@rhel8: RHEL-08-030230
++    stigid@rhel8: RHEL-08-030200
+     stigid@sle12: SLES-12-020380
+     stigid@sle15: SLES-15-030230
+     stigid@ubuntu2004: UBTU-20-010144
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+index 81dddd9fb71..d1f4ee35ccb 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+@@ -58,7 +58,7 @@ references:
+     stigid@ol7: OL07-00-030370
+     stigid@ol8: OL08-00-030500
+     stigid@rhel7: RHEL-07-030390
+-    stigid@rhel8: RHEL-08-030500
++    stigid@rhel8: RHEL-08-030480
+     stigid@sle12: SLES-12-020440
+     stigid@sle15: SLES-15-030270
+     stigid@ubuntu2004: UBTU-20-010151
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+index fa15012b05f..a2425e373bc 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+@@ -69,7 +69,7 @@ references:
+     stigid@ol7: OL07-00-030440
+     stigid@ol8: OL08-00-030220
+     stigid@rhel7: RHEL-07-030460
+-    stigid@rhel8: RHEL-08-030220
++    stigid@rhel8: RHEL-08-030200
+     stigid@sle15: SLES-15-030240
+     stigid@ubuntu2004: UBTU-20-010143
+     vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+index 6d15eecee2c..0be27fbe860 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+@@ -74,7 +74,7 @@ references:
+     stigid@ol7: OL07-00-030440
+     stigid@ol8: OL08-00-030210
+     stigid@rhel7: RHEL-07-030470
+-    stigid@rhel8: RHEL-08-030210
++    stigid@rhel8: RHEL-08-030200
+     stigid@sle12: SLES-12-020390
+     stigid@sle15: SLES-15-030190
+     stigid@ubuntu2004: UBTU-20-010145
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+index 6f7cea26e16..5dc13a0a43a 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+@@ -70,7 +70,7 @@ references:
+     stigid@ol7: OL07-00-030440
+     stigid@ol8: OL08-00-030270
+     stigid@rhel7: RHEL-07-030440
+-    stigid@rhel8: RHEL-08-030270
++    stigid@rhel8: RHEL-08-030200
+     stigid@sle12: SLES-12-020370
+     stigid@sle15: SLES-15-030220
+     stigid@ubuntu2004: UBTU-20-010142
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+index 718dcb8a9d9..120d6fa84d3 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+@@ -52,7 +52,7 @@ references:
+     stigid@ol7: OL07-00-030910
+     stigid@ol8: OL08-00-030362
+     stigid@rhel7: RHEL-07-030890
+-    stigid@rhel8: RHEL-08-030362
++    stigid@rhel8: RHEL-08-030361
+     stigid@ubuntu2004: UBTU-20-010270
+     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+index 643f075f46a..4caa7c66986 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+@@ -49,7 +49,7 @@ references:
+     stigid@ol7: OL07-00-030910
+     stigid@ol8: OL08-00-030363
+     stigid@rhel7: RHEL-07-030900
+-    stigid@rhel8: RHEL-08-030363
++    stigid@rhel8: RHEL-08-030361
+     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
+ 
+ {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+index 9cf3c4668bc..8fea9dc4582 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+@@ -52,7 +52,7 @@ references:
+     stigid@ol7: OL07-00-030910
+     stigid@ol8: OL08-00-030364
+     stigid@rhel7: RHEL-07-030910
+-    stigid@rhel8: RHEL-08-030364
++    stigid@rhel8: RHEL-08-030361
+     stigid@ubuntu2004: UBTU-20-010267
+     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+index d0ebbdbd723..bee18e99b52 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+@@ -52,7 +52,7 @@ references:
+     stigid@ol7: OL07-00-030910
+     stigid@ol8: OL08-00-030365
+     stigid@rhel7: RHEL-07-030920
+-    stigid@rhel8: RHEL-08-030365
++    stigid@rhel8: RHEL-08-030361
+     stigid@ubuntu2004: UBTU-20-010268
+     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+index 373b12525e1..736c6643b57 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+@@ -63,7 +63,7 @@ references:
+     stigid@ol7: OL07-00-030510
+     stigid@ol8: OL08-00-030470
+     stigid@rhel7: RHEL-07-030500
+-    stigid@rhel8: RHEL-08-030470
++    stigid@rhel8: RHEL-08-030420
+     stigid@sle12: SLES-12-020520
+     stigid@sle15: SLES-15-030160
+     stigid@ubuntu2004: UBTU-20-010158
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+index 2b2d82a736b..6b4176d53e3 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+@@ -66,7 +66,7 @@ references:
+     stigid@ol7: OL07-00-030510
+     stigid@ol8: OL08-00-030460
+     stigid@rhel7: RHEL-07-030550
+-    stigid@rhel8: RHEL-08-030460
++    stigid@rhel8: RHEL-08-030420
+     stigid@sle12: SLES-12-020510
+     stigid@sle15: SLES-15-030320
+     stigid@ubuntu2004: UBTU-20-010157
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+index dcb3d0f0525..90d45b6787e 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+@@ -66,7 +66,7 @@ references:
+     stigid@ol7: OL07-00-030510
+     stigid@ol8: OL08-00-030440
+     stigid@rhel7: RHEL-07-030510
+-    stigid@rhel8: RHEL-08-030440
++    stigid@rhel8: RHEL-08-030420
+     stigid@sle12: SLES-12-020490
+     stigid@sle15: SLES-15-030150
+     stigid@ubuntu2004: UBTU-20-010155
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+index e68d892bb90..6df936e489c 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+@@ -60,7 +60,7 @@ references:
+     stigid@ol7: OL07-00-030510
+     stigid@ol8: OL08-00-030450
+     stigid@rhel7: RHEL-07-030530
+-    stigid@rhel8: RHEL-08-030450
++    stigid@rhel8: RHEL-08-030420
+     stigid@sle12: SLES-12-020540
+     stigid@sle15: SLES-15-030180
+     stigid@ubuntu2004: UBTU-20-010160
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+index cd6bd545e71..1b6ae818e48 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+@@ -66,7 +66,7 @@ references:
+     stigid@ol7: OL07-00-030510
+     stigid@ol8: OL08-00-030430
+     stigid@rhel7: RHEL-07-030520
+-    stigid@rhel8: RHEL-08-030430
++    stigid@rhel8: RHEL-08-030420
+     stigid@sle12: SLES-12-020530
+     stigid@sle15: SLES-15-030170
+     stigid@ubuntu2004: UBTU-20-010159
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+index 50e5b4e4f02..2f1c6d0bf22 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+@@ -51,7 +51,7 @@ references:
+     stigid@ol7: OL07-00-030820
+     stigid@ol8: OL08-00-030380
+     stigid@rhel7: RHEL-07-030821
+-    stigid@rhel8: RHEL-08-030380
++    stigid@rhel8: RHEL-08-030360
+     stigid@sle12: SLES-12-020740
+     stigid@sle15: SLES-15-030530
+     stigid@ubuntu2004: UBTU-20-010180
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index ffca983d0bd..d92bc72971c 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -560,6 +560,8 @@ selections:
+ 
+     # RHEL-08-020220
+     - accounts_password_pam_pwhistory_remember_system_auth
++
++    # RHEL-08-020221
+     - accounts_password_pam_pwhistory_remember_password_auth
+ 
+     # RHEL-08-020230
+@@ -712,18 +714,11 @@ selections:
+ 
+     # RHEL-08-030200
+     - audit_rules_dac_modification_lremovexattr
+-
+-    # RHEL-08-030210
+     - audit_rules_dac_modification_removexattr
+-
+-    # RHEL-08-030220
+     - audit_rules_dac_modification_lsetxattr
+-
+-    # RHEL-08-030230
+     - audit_rules_dac_modification_fsetxattr
+-
+-    # RHEL-08-030240
+     - audit_rules_dac_modification_fremovexattr
++    - audit_rules_dac_modification_setxattr
+ 
+     # RHEL-08-030250
+     - audit_rules_privileged_commands_chage
+@@ -731,8 +726,6 @@ selections:
+     # RHEL-08-030260
+     - audit_rules_execution_chcon
+ 
+-    # RHEL-08-030270
+-    - audit_rules_dac_modification_setxattr
+ 
+     # RHEL-08-030280
+     - audit_rules_privileged_commands_ssh_agent
+@@ -787,28 +780,18 @@ selections:
+ 
+     # RHEL-08-030360
+     - audit_rules_kernel_module_loading_init
++    - audit_rules_kernel_module_loading_finit
+ 
+     # RHEL-08-030361
+     - audit_rules_file_deletion_events_rename
+-
+-    # RHEL-08-030362
+     - audit_rules_file_deletion_events_renameat
+-
+-    # RHEL-08-030363
+     - audit_rules_file_deletion_events_rmdir
+-
+-    # RHEL-08-030364
+     - audit_rules_file_deletion_events_unlink
+-
+-    # RHEL-08-030365
+     - audit_rules_file_deletion_events_unlinkat
+ 
+     # RHEL-08-030370
+     - audit_rules_privileged_commands_gpasswd
+ 
+-    # RHEL-08-030380
+-    - audit_rules_kernel_module_loading_finit
+-
+     # RHEL-08-030390
+     - audit_rules_kernel_module_loading_delete
+ 
+@@ -820,41 +803,21 @@ selections:
+ 
+     # RHEL-08-030420
+     - audit_rules_unsuccessful_file_modification_truncate
+-
+-    # RHEL-08-030430
+     - audit_rules_unsuccessful_file_modification_openat
+-
+-    # RHEL-08-030440
+     - audit_rules_unsuccessful_file_modification_open
+-
+-    # RHEL-08-030450
+     - audit_rules_unsuccessful_file_modification_open_by_handle_at
+-
+-    # RHEL-08-030460
+     - audit_rules_unsuccessful_file_modification_ftruncate
+-
+-    # RHEL-08-030470
+     - audit_rules_unsuccessful_file_modification_creat
+ 
+     # RHEL-08-030480
+     - audit_rules_dac_modification_chown
+-
+-    # RHEL-08-030490
+-    - audit_rules_dac_modification_chmod
+-
+-    # RHEL-08-030500
+     - audit_rules_dac_modification_lchown
+-
+-    # RHEL-08-030510
+     - audit_rules_dac_modification_fchownat
+-
+-    # RHEL-08-030520
+     - audit_rules_dac_modification_fchown
+ 
+-    # RHEL-08-030530
++    # RHEL-08-030490
++    - audit_rules_dac_modification_chmod
+     - audit_rules_dac_modification_fchmodat
+-
+-    # RHEL-08-030540
+     - audit_rules_dac_modification_fchmod
+ 
+     # RHEL-08-030550
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index eb2cac913bd..42c6d0e9aca 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -561,6 +561,8 @@ selections:
+ 
+     # RHEL-08-020220
+     - accounts_password_pam_pwhistory_remember_system_auth
++
++    # RHEL-08-020221
+     - accounts_password_pam_pwhistory_remember_password_auth
+ 
+     # RHEL-08-020230
+@@ -713,18 +715,11 @@ selections:
+ 
+     # RHEL-08-030200
+     - audit_rules_dac_modification_lremovexattr
+-
+-    # RHEL-08-030210
+     - audit_rules_dac_modification_removexattr
+-
+-    # RHEL-08-030220
+     - audit_rules_dac_modification_lsetxattr
+-
+-    # RHEL-08-030230
+     - audit_rules_dac_modification_fsetxattr
+-
+-    # RHEL-08-030240
+     - audit_rules_dac_modification_fremovexattr
++    - audit_rules_dac_modification_setxattr
+ 
+     # RHEL-08-030250
+     - audit_rules_privileged_commands_chage
+@@ -732,9 +727,6 @@ selections:
+     # RHEL-08-030260
+     - audit_rules_execution_chcon
+ 
+-    # RHEL-08-030270
+-    - audit_rules_dac_modification_setxattr
+-
+     # RHEL-08-030280
+     - audit_rules_privileged_commands_ssh_agent
+ 
+@@ -788,28 +780,18 @@ selections:
+ 
+     # RHEL-08-030360
+     - audit_rules_kernel_module_loading_init
++    - audit_rules_kernel_module_loading_finit
+ 
+     # RHEL-08-030361
+     - audit_rules_file_deletion_events_rename
+-
+-    # RHEL-08-030362
+     - audit_rules_file_deletion_events_renameat
+-
+-    # RHEL-08-030363
+     - audit_rules_file_deletion_events_rmdir
+-
+-    # RHEL-08-030364
+     - audit_rules_file_deletion_events_unlink
+-
+-    # RHEL-08-030365
+     - audit_rules_file_deletion_events_unlinkat
+ 
+     # RHEL-08-030370
+     - audit_rules_privileged_commands_gpasswd
+ 
+-    # RHEL-08-030380
+-    - audit_rules_kernel_module_loading_finit
+-
+     # RHEL-08-030390
+     - audit_rules_kernel_module_loading_delete
+ 
+@@ -821,41 +803,21 @@ selections:
+ 
+     # RHEL-08-030420
+     - audit_rules_unsuccessful_file_modification_truncate
+-
+-    # RHEL-08-030430
+     - audit_rules_unsuccessful_file_modification_openat
+-
+-    # RHEL-08-030440
+     - audit_rules_unsuccessful_file_modification_open
+-
+-    # RHEL-08-030450
+     - audit_rules_unsuccessful_file_modification_open_by_handle_at
+-
+-    # RHEL-08-030460
+     - audit_rules_unsuccessful_file_modification_ftruncate
+-
+-    # RHEL-08-030470
+     - audit_rules_unsuccessful_file_modification_creat
+ 
+     # RHEL-08-030480
+     - audit_rules_dac_modification_chown
+-
+-    # RHEL-08-030490
+-    - audit_rules_dac_modification_chmod
+-
+-    # RHEL-08-030500
+     - audit_rules_dac_modification_lchown
+-
+-    # RHEL-08-030510
+     - audit_rules_dac_modification_fchownat
+-
+-    # RHEL-08-030520
+     - audit_rules_dac_modification_fchown
+ 
+-    # RHEL-08-030530
++    # RHEL-08-030490
++    - audit_rules_dac_modification_chmod
+     - audit_rules_dac_modification_fchmodat
+-
+-    # RHEL-08-030540
+     - audit_rules_dac_modification_fchmod
+ 
+     # RHEL-08-030550

scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch

@@ -0,0 +1,375 @@
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
+new file mode 100644
+index 00000000000..1c151a1ec1a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv
++
++if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
++	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
+new file mode 100644
+index 00000000000..24fdbe4c1d4
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
+@@ -0,0 +1,19 @@
++<def-group>
++  <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">
++    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}
++    <criteria operator="AND">
++      <criterion test_ref="test_pam_unix_passwordauth_sha512" />
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">
++    <ind:object object_ref="object_pam_unix_passwordauth_sha512" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">
++      <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
++      <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
+new file mode 100644
+index 00000000000..9375269161d
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
+@@ -0,0 +1,72 @@
++documentation_complete: true
++
++prodtype: fedora,rhel7,rhel8,rhel9,rhv4
++
++title: "Set PAM's Password Hashing Algorithm - password-auth"
++
++description: |-
++    The PAM system service can be configured to only store encrypted
++    representations of passwords. In
++    <tt>/etc/pam.d/password-auth</tt>,
++    the
++    <tt>password</tt> section of the file controls which PAM modules execute
++    during a password change. Set the <tt>pam_unix.so</tt> module in the
++    <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown
++    below:
++    <br />
++    <pre>password    sufficient    pam_unix.so sha512 <i>other arguments...</i></pre>
++    <br />
++    This will help ensure when local users change their passwords, hashes for
++    the new passwords will be generated using the SHA-512 algorithm. This is
++    the default.
++
++rationale: |-
++    Passwords need to be protected at all times, and encryption is the standard
++    method for protecting passwords. If passwords are not encrypted, they can
++    be plainly read (i.e., clear text) and easily compromised. Passwords that
++    are encrypted with a weak algorithm are no more protected than if they are
++    kepy in plain text.
++    <br /><br />
++    This setting ensures user and group account administration utilities are
++    configured to store only encrypted representations of passwords.
++    Additionally, the <tt>crypt_style</tt> configuration option ensures the use
++    of a strong hashing algorithm that makes password cracking attacks more
++    difficult.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-85943-9
++    cce@rhel8: CCE-85945-4
++    cce@rhel9: CCE-85946-2
++
++references:
++    anssi: BP28(R32)
++    cis-csc: 1,12,15,16,5
++    cis@rhel7: 5.4.3
++    cis@rhel8: 5.4.4
++    cjis: 5.6.2.2
++    cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
++    cui: 3.13.11
++    disa: CCI-000196
++    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
++    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
++    ism: 0418,1055,1402
++    iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
++    nist: IA-5(c),IA-5(1)(c),CM-6(a)
++    nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
++    pcidss: Req-8.2.1
++    srg: SRG-OS-000073-GPOS-00041
++    stigid@rhel7: RHEL-07-010200
++    stigid@rhel8: RHEL-08-010160
++    vmmsrg: SRG-OS-000480-VMM-002000
++
++ocil_clause: 'it does not'
++
++ocil: |-
++    Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>
++    and ensure that the <tt>pam_unix.so</tt> module includes the argument
++    <tt>sha512</tt>:
++    <pre>$ grep sha512 /etc/pam.d/password-auth</pre>
++
++platform: pam
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
+new file mode 100644
+index 00000000000..a924fe5bd97
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++
++if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
++	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
+new file mode 100644
+index 00000000000..68e925a645f
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+index 542ea521a6c..e7503feeecb 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+@@ -1,7 +1,9 @@
+-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
++# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+ 
+ AUTH_FILES[0]="/etc/pam.d/system-auth"
++{{%- if product == "rhel7" %}}
+ AUTH_FILES[1]="/etc/pam.d/password-auth"
++{{%- endif %}}
+ 
+ for pamFile in "${AUTH_FILES[@]}"
+ do
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+index d76b6f80c0c..a754a84df6c 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+@@ -3,6 +3,9 @@
+     {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
+     <criteria operator="AND">
+       <criterion test_ref="test_pam_unix_sha512" />
++      {{%- if product == "rhel7" %}}
++      <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />
++      {{%- endif %}}
+     </criteria>
+   </definition>
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+index 13da9dd4086..59fb48e93b5 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+@@ -70,7 +70,7 @@ references:
+     stigid@ol7: OL07-00-010200
+     stigid@ol8: OL08-00-010160
+     stigid@rhel7: RHEL-07-010200
+-    stigid@rhel8: RHEL-08-010160
++    stigid@rhel8: RHEL-08-010159
+     stigid@sle12: SLES-12-010230
+     stigid@sle15: SLES-15-020170
+     vmmsrg: SRG-OS-000480-VMM-002000
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+index 7e481760670..fb9feec4d27 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+@@ -1,7 +1,9 @@
+ #!/bin/bash
+ 
+ AUTH_FILES[0]="/etc/pam.d/system-auth"
++{{%- if product == "rhel7" %}}
+ AUTH_FILES[1]="/etc/pam.d/password-auth"
++{{%- endif %}}
+ 
+ for pamFile in "${AUTH_FILES[@]}"
+ do
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+index 09bb82dd1d7..2f35381d475 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+@@ -1,7 +1,9 @@
+ #!/bin/bash
+ 
+ AUTH_FILES[0]="/etc/pam.d/system-auth"
++{{%- if product == "rhel7" %}}
+ AUTH_FILES[1]="/etc/pam.d/password-auth"
++{{%- endif %}}
+ 
+ for pamFile in "${AUTH_FILES[@]}"
+ do
+diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
+index 3ada8e6fe49..4df21f4ae6e 100644
+--- a/products/rhel8/profiles/pci-dss.profile
++++ b/products/rhel8/profiles/pci-dss.profile
+@@ -126,6 +126,7 @@ selections:
+     - service_pcscd_enabled
+     - sssd_enable_smartcards
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_libuserconf
+     - file_owner_etc_shadow
+diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
+index 15abd98a6a5..7188062df72 100644
+--- a/products/rhel8/profiles/rht-ccp.profile
++++ b/products/rhel8/profiles/rht-ccp.profile
+@@ -54,6 +54,7 @@ selections:
+     - accounts_password_pam_difok
+     - accounts_passwords_pam_faillock_deny
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_libuserconf
+     - require_singleuser_auth
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 04f158116ee..8d69bb48d38 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -149,6 +149,9 @@ selections:
+     # RHEL-08-010152
+     - require_emergency_target_auth
+ 
++    # RHEL-08-010159
++    - set_password_hashing_algorithm_passwordauth
++
+     # RHEL-08-010160
+     - set_password_hashing_algorithm_systemauth
+ 
+diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
+index beb1acda31d..1e4044f4e7e 100644
+--- a/products/rhel9/profiles/pci-dss.profile
++++ b/products/rhel9/profiles/pci-dss.profile
+@@ -123,6 +123,7 @@ selections:
+     - service_pcscd_enabled
+     - sssd_enable_smartcards
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_libuserconf
+     - file_owner_etc_shadow
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 8f79b22e3e4..b9f557de030 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -150,6 +150,9 @@ selections:
+     # RHEL-08-010152
+     - require_emergency_target_auth
+ 
++    # RHEL-08-010159
++    - set_password_hashing_algorithm_passwordauth
++
+     # RHEL-08-010160
+     - set_password_hashing_algorithm_systemauth
+ 
+diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile
+index c4ed0ec2d48..d00f44996d8 100644
+--- a/products/rhv4/profiles/pci-dss.profile
++++ b/products/rhv4/profiles/pci-dss.profile
+@@ -121,6 +121,7 @@ selections:
+     - service_pcscd_enabled
+     - sssd_enable_smartcards
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_libuserconf
+     - file_owner_etc_shadow
+diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
+index 01c2fd8cc2d..9cf416665ab 100644
+--- a/products/rhv4/profiles/rhvh-stig.profile
++++ b/products/rhv4/profiles/rhvh-stig.profile
+@@ -356,6 +356,7 @@ selections:
+     - set_password_hashing_algorithm_libuserconf
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - package_opensc_installed
+     - var_smartcard_drivers=cac
+     - configure_opensc_card_drivers
+diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile
+index c2b6c106937..e66fe435508 100644
+--- a/products/rhv4/profiles/rhvh-vpp.profile
++++ b/products/rhv4/profiles/rhvh-vpp.profile
+@@ -201,6 +201,7 @@ selections:
+     - accounts_password_pam_unix_remember
+     - set_password_hashing_algorithm_logindefs
+     - set_password_hashing_algorithm_systemauth
++    - set_password_hashing_algorithm_passwordauth
+     - set_password_hashing_algorithm_libuserconf
+     - no_empty_passwords
+ 
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 3f6ec5e17c4..4aa925037b1 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -53,9 +53,6 @@ CCE-85939-7
+ CCE-85940-5
+ CCE-85941-3
+ CCE-85942-1
+-CCE-85943-9
+-CCE-85945-4
+-CCE-85946-2
+ CCE-85947-0
+ CCE-85948-8
+ CCE-85949-6
+diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
+index f58bcf91cf2..e235d492438 100644
+--- a/tests/data/profile_stability/rhel8/pci-dss.profile
++++ b/tests/data/profile_stability/rhel8/pci-dss.profile
+@@ -1,5 +1,9 @@
++title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
+ description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+-documentation_complete: true
++extends: null
++metadata:
++    SMEs:
++    - yuumasato
+ reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+ selections:
+ - account_disable_post_pw_expiration
+@@ -120,6 +124,7 @@ selections:
+ - service_pcscd_enabled
+ - set_password_hashing_algorithm_libuserconf
+ - set_password_hashing_algorithm_logindefs
++- set_password_hashing_algorithm_passwordauth
+ - set_password_hashing_algorithm_systemauth
+ - sshd_set_idle_timeout
+ - sshd_set_keepalive_0
+@@ -136,4 +141,8 @@ selections:
+ - var_multiple_time_servers=rhel
+ - var_sshd_set_keepalive=0
+ - var_smartcard_drivers=cac
+-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
++platforms: !!set {}
++cpe_names: !!set {}
++platform: null
++filter_rules: ''
++documentation_complete: true
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index ed739e724f4..c5fcbf47de2 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -336,6 +337,7 @@ selections:
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
+ - set_password_hashing_algorithm_logindefs
++- set_password_hashing_algorithm_passwordauth
+ - set_password_hashing_algorithm_systemauth
+ - sshd_disable_compression
+ - sshd_disable_empty_passwords
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 56c3fcb9f59..49ec4ae41ac 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -347,6 +348,7 @@ selections:
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
+ - set_password_hashing_algorithm_logindefs
++- set_password_hashing_algorithm_passwordauth
+ - set_password_hashing_algorithm_systemauth
+ - sshd_disable_compression
+ - sshd_disable_empty_passwords

scap-security-guide-0.1.61-selinux_state_rhel8_anssi_enhanced-PR_8182.patch

@@ -0,0 +1,155 @@
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index ff3736711dd..5c3d5f34ea8 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -72,6 +72,7 @@ controls:
+       SELinux policies limit the privileges of services and daemons to only what they require.
+     rules:
+     - selinux_state
++    - var_selinux_state=enforcing
+ 
+   - id: R4
+     levels:
+diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
+index 2a49527c10a..8f2ee31493b 100644
+--- a/products/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -17,4 +17,3 @@ description: |-
+ 
+ selections:
+     - anssi:all:enhanced
+-    - '!selinux_state'
+diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
+index 89e0d260390..da048c9b556 100644
+--- a/products/rhel9/profiles/anssi_bp28_enhanced.profile
++++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile
+@@ -17,4 +17,3 @@ description: |-
+ 
+ selections:
+     - anssi:all:enhanced
+-    - '!selinux_state'
+diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+index 2e60ec43532..b201c495b8d 100644
+--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+@@ -42,3 +42,29 @@ controls:
+         rules:
+           - var_password_pam_minlen=2
+           - var_some_variable=3
++
++  # S5, S6 and S7 are used to test if level inheritance is working corectly
++  # when multiple levels select the same rule
++  - id: S5
++    title: Default Crypto Policy
++    levels:
++    - low
++    rules:
++      - configure_crypto_policy
++      - var_system_crypto_policy=default_policy
++
++  - id: S6
++    title: FIPS Crypto Policy
++    levels:
++    - medium
++    rules:
++      - configure_crypto_policy
++      - var_system_crypto_policy=fips
++
++  - id: S7
++    title: Future Crypto Policy
++    levels:
++    - high
++    rules:
++      - configure_crypto_policy
++      - var_system_crypto_policy=future
+diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
+index d3d6280042a..fb569280736 100644
+--- a/tests/unit/ssg-module/test_controls.py
++++ b/tests/unit/ssg-module/test_controls.py
+@@ -92,6 +92,20 @@ def test_controls_levels():
+     c_4b = controls_manager.get_control("abcd-levels", "S4.b")
+     assert c_4b.levels == ["high"]
+ 
++    c_5 = controls_manager.get_control("abcd-levels", "S5")
++    assert c_5.levels == ["low"]
++
++    c_6 = controls_manager.get_control("abcd-levels", "S6")
++    assert c_6.levels == ["medium"]
++
++    c_7 = controls_manager.get_control("abcd-levels", "S7")
++    assert c_7.levels == ["high"]
++
++    # test if all crypto-policy controls have the rule selected
++    assert "configure_crypto_policy" in c_5.selections
++    assert "configure_crypto_policy" in c_6.selections
++    assert "configure_crypto_policy" in c_7.selections
++
+     # just the essential controls
+     low_controls = controls_manager.get_all_controls_of_level(
+         "abcd-levels", "low")
+@@ -104,25 +118,34 @@ def test_controls_levels():
+ 
+     assert len(high_controls) == len(all_controls)
+     assert len(low_controls) <= len(high_controls)
+-    assert len(low_controls) == 4
+-    assert len(medium_controls) == 5
++    assert len(low_controls) == 5
++    assert len(medium_controls) == 7
+ 
+     # test overriding of variables in levels
+     assert c_2.variables["var_password_pam_minlen"] == "1"
+     assert "var_password_pam_minlen" not in c_3.variables.keys()
+     assert c_4b.variables["var_password_pam_minlen"] == "2"
+ 
++    variable_found = False
+     for c in low_controls:
+         if "var_password_pam_minlen" in c.variables.keys():
++            variable_found = True
+             assert c.variables["var_password_pam_minlen"] == "1"
++    assert variable_found
+ 
++    variable_found = False
+     for c in medium_controls:
+         if "var_password_pam_minlen" in c.variables.keys():
++            variable_found = True
+             assert c.variables["var_password_pam_minlen"] == "1"
++    assert variable_found
+ 
++    variable_found = False
+     for c in high_controls:
+         if "var_password_pam_minlen" in c.variables.keys():
++            variable_found = True
+             assert c.variables["var_password_pam_minlen"] == "2"
++    assert variable_found
+ 
+     # now test if controls of lower level has the variable definition correctly removed
+     # because it is overriden by higher level controls
+@@ -141,6 +164,28 @@ def test_controls_levels():
+     assert s2_low[0].variables["var_some_variable"] == "1"
+     assert s2_low[0].variables["var_password_pam_minlen"] == "1"
+ 
++    # check that low, medium and high levels have crypto policy selected
++    s5_low = [c for c in low_controls if c.id == "S5"]
++    assert len(s5_low) == 1
++    assert "configure_crypto_policy" in s5_low[0].selections
++
++    s5_medium = [c for c in medium_controls if c.id == "S5"]
++    assert len(s5_medium) == 1
++    assert "configure_crypto_policy" in s5_medium[0].selections
++    s6_medium = [c for c in medium_controls if c.id == "S6"]
++    assert len(s6_medium) == 1
++    assert "configure_crypto_policy" in s6_medium[0].selections
++
++    s5_high = [c for c in high_controls if c.id == "S5"]
++    assert len(s5_high) == 1
++    assert "configure_crypto_policy" in s5_high[0].selections
++    s6_high = [c for c in high_controls if c.id == "S6"]
++    assert len(s6_high) == 1
++    assert "configure_crypto_policy" in s6_high[0].selections
++    s7_high = [c for c in high_controls if c.id == "S7"]
++    assert len(s7_high) == 1
++    assert "configure_crypto_policy" in s7_high[0].selections
++
+ 
+ def test_controls_load_product():
+     product_yaml = os.path.join(ssg_root, "products", "rhel8", "product.yml")

scap-security-guide-0.1.61-supported-rhel9-PR_8202.patch

@@ -0,0 +1,23 @@
+From 7345dfea41ddf9cafc2b91b5c90f12ca9ceaffd6 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 10 Feb 2022 19:11:57 +0100
+Subject: [PATCH] RHEL9 is supported
+
+State that rhel9 will be supported by the vendor (as soon as it starts
+to exist)
+---
+ .../installed_OS_is_vendor_supported/oval/shared.xml             | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
+index 931be7e8959..16c3847adb7 100644
+--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
+@@ -6,6 +6,7 @@
+     <criteria comment="Installed operating system is supported by a vendor" operator="OR">
+       <extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
+       <extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
++      <extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" />
+       <extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
+       <extend_definition comment="Installed OS is OL8" definition_ref="installed_OS_is_ol8_family" />
+       <extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />

scap-security-guide-0.1.61-update_RHEL_08_010030-PR_8183.patch

@@ -0,0 +1,13 @@
+diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+index e9d25a34fbd..13231dc2cc9 100644
+--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+@@ -90,6 +90,7 @@ ocil: |-
+     /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
+     " TYPE="crypto_LUKS"</pre>
+     <br /><br />
+-    Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding.
++    The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
++    are not required to use disk encryption and are not a finding.
+ 
+ platform: machine

scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch

@@ -0,0 +1,43 @@
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+index 395129acb66..60b0ce0eb7d 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+@@ -30,7 +30,7 @@ references:
+     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
+     srg: SRG-OS-000250-GPOS-00093
+     stigid@ol8: OL08-00-010020
+-    stigid@rhel8: RHEL-08-010020
++    stigid@rhel8: RHEL-08-010287
+ 
+ ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
+ 
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 04f158116ee..60eafa9c566 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -191,9 +191,7 @@ selections:
+     # RHEL-08-010260
+     - file_groupowner_var_log
+ 
+-    # *** SHARED *** #
+-    # RHEL-08-010290 && RHEL-08-010291
+-    # *** SHARED *** #
++    # RHEL-08-010287
+     - configure_ssh_crypto_policy
+ 
+     # RHEL-08-010290
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 8f79b22e3e4..9bd1a2b0f51 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -192,9 +192,7 @@ selections:
+     # RHEL-08-010260
+     - file_groupowner_var_log
+ 
+-    # *** SHARED *** #
+-    # RHEL-08-010290 && RHEL-08-010291
+-    # *** SHARED *** #
++    # RHEL-08-010287
+     - configure_ssh_crypto_policy
+ 
+     # RHEL-08-010290

scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch

@@ -0,0 +1,146 @@
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+index 08ffd76aed6..399ca1ea3ce 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+@@ -4,6 +4,26 @@
+ # complexity = low
+ # disruption = low
+ 
+-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
+-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
+-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
++{{%- macro delete_line_in_sudoers_d(line) %}}
++- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
++  find:
++    path: "/etc/sudoers.d"
++    patterns: "*"
++    contains: '^{{{ line }}}$'
++  register: sudoers_d_defaults
++
++- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
++  lineinfile:
++    path: "{{ item.path }}"
++    regexp: "^{{{ line }}}$"
++    state: absent
++  with_items: "{{ sudoers_d_defaults.files }}"
++{{%- endmacro %}}
++
++{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
++{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
++{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
++
++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+index ea0ac67fa1c..3b327f3fc88 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+@@ -1,5 +1,17 @@
+ # platform = multi_platform_all
+ 
++{{%- macro delete_line_in_sudoers_d(line) %}}
++if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
++    find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
++fi
++{{%- endmacro %}}
++
++{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
++{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
++{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
++
+ {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+ {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+ {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
++
++
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+index 646e6bfb7c0..b3fadd53bee 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+@@ -8,17 +8,17 @@
+       </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
+   id="test_sudoers_targetpw_config" version="1">
+     <ind:object object_ref="object_test_sudoers_targetpw_config" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
+   id="test_sudoers_rootpw_config" version="1">
+     <ind:object object_ref="object_test_sudoers_rootpw_config" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
+   id="test_sudoers_runaspw_config" version="1">
+     <ind:object object_ref="object_test_sudoers_runaspw_config" />
+   </ind:textfilecontent54_test>
+@@ -26,19 +26,19 @@
+   <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
+     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+     <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
+-    <ind:instance datatype="int">1</ind:instance>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+   <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
+     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+     <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
+-    <ind:instance datatype="int">1</ind:instance>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+   <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
+     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+     <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
+-    <ind:instance datatype="int">1</ind:instance>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+ </def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+index ccc29b77d15..698021d8fd0 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
+ ocil: |-
+     Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
+     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
+-    If no results are returned, this is a finding
++    If no results are returned, this is a finding.
++    If results are returned from more than one file location, this is a finding.
+     If "Defaults !targetpw" is not defined, this is a finding.
+     If "Defaults !rootpw" is not defined, this is a finding.
+     If "Defaults !runaspw" is not defined, this is a finding.
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
+new file mode 100644
+index 00000000000..a258d108a00
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
+@@ -0,0 +1,9 @@
++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
++# packages = sudo
++
++echo 'Defaults !targetpw' >> /etc/sudoers
++echo 'Defaults !rootpw' >> /etc/sudoers
++echo 'Defaults !runaspw' >> /etc/sudoers
++echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
++echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
++echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
+diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
+new file mode 100644
+index 00000000000..6247b5230e4
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
+@@ -0,0 +1,7 @@
++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
++# packages = sudo
++
++echo 'Defaults !targetpw' >> /etc/sudoers
++echo 'Defaults !rootpw' >> /etc/sudoers
++echo 'Defaults !runaspw' >> /etc/sudoers
++echo 'Defaults !runaspw' >> /etc/sudoers

scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch

@@ -0,0 +1,300 @@
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+index 737d725872d..08b62057bde 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+@@ -1,7 +1,11 @@
+ # platform = multi_platform_all
++# reboot = true
++# strategy = enable
++# complexity = low
++# disruption = low
+ 
+ if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
+-    cat >> /etc/bashrc <<'EOF'
++    cat >> /etc/profile.d/tmux.sh <<'EOF'
+ if [ "$PS1" ]; then
+   parent=$(ps -o ppid= -p $$)
+   name=$(ps -o comm= -p $parent)
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+index 00ac349e292..4cb2f9e0e04 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+@@ -4,21 +4,27 @@
+     <criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
+       <criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
+         test_ref="test_configure_bashrc_exec_tmux" />
++      <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
+     </criteria>
+   </definition>
+-  <ind:textfilecontent54_test check="only one" check_existence="only_one_exists"
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+     comment="check tmux is configured to exec on the last line of /etc/bashrc"
+     id="test_configure_bashrc_exec_tmux" version="1">
+     <ind:object object_ref="obj_configure_bashrc_exec_tmux" />
+-    <ind:state state_ref="state_configure_bashrc_exec_tmux" />
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
+     <ind:behaviors singleline="true" multiline="false" />
+-    <ind:filepath>/etc/bashrc</ind:filepath>
+-    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+-    <ind:instance datatype="int">1</ind:instance>
++    <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
++    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-  <ind:textfilecontent54_state id="state_configure_bashrc_exec_tmux" version="1">
+-    <ind:subexpression datatype="string" operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:subexpression>
+-  </ind:textfilecontent54_state>
++
++  <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
++      <unix:object object_ref="obj_tmux_running"/>
++  </unix:process58_test>
++
++  <unix:process58_object id="obj_tmux_running" version="1">
++      <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
++      <unix:pid datatype="int" operation="greater than">0</unix:pid>
++  </unix:process58_object>
+ </def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+index 3ba0f4a2d8f..7afc5fc5e6b 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+@@ -7,12 +7,20 @@ title: 'Support session locking with tmux'
+ description: |-
+     The <tt>tmux</tt> terminal multiplexer is used to implement
+     automatic session locking. It should be started from
+-    <tt>/etc/bashrc</tt>.
++    <tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
++    Additionally it must be ensured that the <tt>tmux</tt> process is running
++    and it can be verified with the following command:
++    <pre>ps all | grep tmux | grep -v grep</pre>
+ 
+ rationale: |-
+     Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
+     provides a mechanism to lock sessions after period of inactivity.
+ 
++warnings:
++  - general: |-
++        The remediation does not start the tmux process, so it must be
++        manually started or have the system rebooted after applying the fix.
++
+ severity: medium
+ 
+ identifiers:
+@@ -26,17 +34,21 @@ references:
+     stigid@ol8: OL08-00-020041
+     stigid@rhel8: RHEL-08-020041
+ 
+-ocil_clause: 'exec tmux is not present at the end of bashrc'
++ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
+ 
+ ocil: |-
+     To verify that tmux is configured to execute,
+     run the following command:
+-    <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc</pre>
++    <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*</pre>
+     The output should return the following:
+     <pre>if [ "$PS1" ]; then
+       parent=$(ps -o ppid= -p $$)
+       name=$(ps -o comm= -p $parent)
+       case "$name" in sshd|login) exec tmux ;; esac
+     fi</pre>
++    To verify that the tmux process is running,
++    run the following command:
++    <pre>ps all | grep tmux | grep -v grep</pre>
++    If the command does not produce output, this is a finding.
+ 
+ platform: machine
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+new file mode 100644
+index 00000000000..221c18665ef
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# packages = tmux
++
++cat >> /etc/bashrc <<'EOF'
++if [ "$PS1" ]; then
++  parent=$(ps -o ppid= -p $$)
++  name=$(ps -o comm= -p $parent)
++  case "$name" in sshd|login) exec tmux ;; esac
++fi
++EOF
++
++tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+new file mode 100644
+index 00000000000..1702bb17e79
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# packages = tmux
++
++
++cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
++if [ "$PS1" ]; then
++  parent=$(ps -o ppid= -p $$)
++  name=$(ps -o comm= -p $parent)
++  case "$name" in sshd|login) exec tmux ;; esac
++fi
++EOF
++
++tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+new file mode 100644
+index 00000000000..16d4acfcb5a
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+@@ -0,0 +1,20 @@
++#!/bin/bash
++# packages = tmux
++
++cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
++if [ "$PS1" ]; then
++  parent=$(ps -o ppid= -p $$)
++  name=$(ps -o comm= -p $parent)
++  case "$name" in sshd|login) exec tmux ;; esac
++fi
++EOF
++
++cat >> /etc/bashrc <<'EOF'
++if [ "$PS1" ]; then
++  parent=$(ps -o ppid= -p $$)
++  name=$(ps -o comm= -p $parent)
++  case "$name" in sshd|login) exec tmux ;; esac
++fi
++EOF
++
++tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+new file mode 100644
+index 00000000000..6cb9d83efc5
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++# packages = tmux
++# remediation = none
++
++cat >> /etc/bashrc <<'EOF'
++if [ "$PS1" ]; then
++  parent=$(ps -o ppid= -p $$)
++  name=$(ps -o comm= -p $parent)
++  case "$name" in sshd|login) exec tmux ;; esac
++fi
++EOF
++
++killall tmux || true
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+new file mode 100644
+index 00000000000..f13a8b038e4
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+@@ -0,0 +1,105 @@
++#!/bin/bash
++# packages = tmux
++
++cat > /etc/bashrc <<'EOF'
++# /etc/bashrc
++
++# System wide functions and aliases
++# Environment stuff goes in /etc/profile
++
++# It's NOT a good idea to change this file unless you know what you
++# are doing. It's much better to create a custom.sh shell script in
++# /etc/profile.d/ to make custom changes to your environment, as this
++# will prevent the need for merging in future updates.
++
++# Prevent doublesourcing
++if [ -z "$BASHRCSOURCED" ]; then
++  BASHRCSOURCED="Y"
++
++  # are we an interactive shell?
++  if [ "$PS1" ]; then
++    if [ -z "$PROMPT_COMMAND" ]; then
++      case $TERM in
++      xterm*|vte*)
++        if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
++            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
++        elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
++            PROMPT_COMMAND="__vte_prompt_command"
++        else
++            PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
++        fi
++        ;;
++      screen*)
++        if [ -e /etc/sysconfig/bash-prompt-screen ]; then
++            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
++        else
++            PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
++        fi
++        ;;
++      *)
++        [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
++        ;;
++      esac
++    fi
++    # Turn on parallel history
++    shopt -s histappend
++    history -a
++    # Turn on checkwinsize
++    shopt -s checkwinsize
++    [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
++    # You might want to have e.g. tty in prompt (e.g. more virtual machines)
++    # and console windows
++    # If you want to do so, just add e.g.
++    # if [ "$PS1" ]; then
++    #   PS1="[\u@\h:\l \W]\\$ "
++    # fi
++    # to your custom modification shell script in /etc/profile.d/ directory
++  fi
++
++  if ! shopt -q login_shell ; then # We're not a login shell
++    # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
++    pathmunge () {
++        case ":${PATH}:" in
++            *:"$1":*)
++                ;;
++            *)
++                if [ "$2" = "after" ] ; then
++                    PATH=$PATH:$1
++                else
++                    PATH=$1:$PATH
++                fi
++        esac
++    }
++
++    # By default, we want umask to get set. This sets it for non-login shell.
++    # Current threshold for system reserved uid/gids is 200
++    # You could check uidgid reservation validity in
++    # /usr/share/doc/setup-*/uidgid file
++    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
++       umask 002
++    else
++       umask 022
++    fi
++
++    SHELL=/bin/bash
++    # Only display echos from profile.d scripts if we are no login shell
++    # and interactive - otherwise just process them to set envvars
++    for i in /etc/profile.d/*.sh; do
++        if [ -r "$i" ]; then
++            if [ "$PS1" ]; then
++                . "$i"
++            else
++                . "$i" >/dev/null
++            fi
++        fi
++    done
++
++    unset i
++    unset -f pathmunge
++  fi
++
++fi
++# vim:ts=4:sw=4
++EOF
++
++tmux new-session -s root -d

scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch

@@ -0,0 +1,209 @@
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
+index 5b3afb324df..67d6836e873 100644
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
+@@ -14,12 +14,3 @@
+       - xorg-x11-server-Xwayland
+ {{% endif %}}
+     state: absent
+-
+-
+-- name: Switch to multi-user runlevel
+-  file:
+-    src: /usr/lib/systemd/system/multi-user.target
+-    dest: /etc/systemd/system/default.target
+-    state: link
+-    force: yes
+-
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
+index dbabe572d2a..496dc74be7c 100644
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
+@@ -12,6 +12,3 @@
+ {{% if product not in ["rhel7", "ol7"] %}}
+ {{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
+ {{% endif %}}
+-
+-# configure run level
+-systemctl set-default multi-user.target
+\ No newline at end of file
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
+index 0710efe9f1b..0868ec6eae7 100644
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
+@@ -2,10 +2,6 @@
+   <definition class="compliance" id="xwindows_remove_packages" version="1">
+     {{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
+     <criteria>
+-      {{%- if init_system == "systemd" and target_oval_version != [5, 10] %}}
+-      <extend_definition comment="system is configured to boot into multi-user.target"
+-        definition_ref="xwindows_runlevel_target" />
+-      {{%- endif %}}
+       <criterion comment="package xorg-x11-server-Xorg is not installed"
+         test_ref="package_xorg-x11-server-Xorg_removed" />
+       <extend_definition comment="package xorg-x11-server-common is removed"
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+index 10e51577a12..6ceb07bd574 100644
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+@@ -19,14 +19,6 @@ description: |-
+     {{% else %}}
+     <pre>sudo {{{ pkg_manager }}} remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre>
+     {{% endif %}}
+-    Additionally, setting the system's default target to
+-    <tt>multi-user.target</tt> will prevent automatic startup of the X server.
+-    To do so, run:
+-    <pre>$ systemctl set-default multi-user.target</pre>
+-    You should see the following output:
+-    <pre>Removed symlink /etc/systemd/system/default.target.
+-    Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.</pre>
+-
+ 
+ rationale: |-
+     Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
+@@ -72,6 +64,8 @@ warnings:
+         The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
+         overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
+         which might bring your system to an inconsistent state requiring additional configuration to access the system
+-        again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
++        again.
++        The rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.
++        If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
+         continuing installation.
+ {{{ ovirt_rule_notapplicable_warning("X11 graphic libraries are dependency of OpenStack Cinderlib storage provider") | indent(4) }}}
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
+deleted file mode 100644
+index 9bf62a42d28..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-
+-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+-
+-systemctl set-default multi-user.target
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
+deleted file mode 100644
+index 4eeb6971486..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-
+-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+-
+-ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
+new file mode 100644
+index 00000000000..b3908cff002
+--- /dev/null
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++{{{ bash_package_install("xorg-x11-server-Xorg") }}}
++{{{ bash_package_install("xorg-x11-server-utils") }}}
++{{{ bash_package_install("xorg-x11-server-common") }}}
++{{% if product not in ["rhel7", "ol7"] %}}
++{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
++{{% endif %}}
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
+new file mode 100644
+index 00000000000..abafdbd624a
+--- /dev/null
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
+@@ -0,0 +1,16 @@
++#!/bin/bash
++# based on shared/templates/package_removed/tests/package-installed-removed.pass.sh
++
++{{{ bash_package_install("xorg-x11-server-Xorg") }}}
++{{{ bash_package_install("xorg-x11-server-utils") }}}
++{{{ bash_package_install("xorg-x11-server-common") }}}
++{{% if product not in ["rhel7", "ol7"] %}}
++{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
++{{% endif %}}
++
++{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
++{{{ bash_package_remove("xorg-x11-server-utils") }}}
++{{{ bash_package_remove("xorg-x11-server-common") }}}
++{{% if product not in ["rhel7", "ol7"] %}}
++{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
++{{% endif %}}
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
+new file mode 100644
+index 00000000000..a403e108082
+--- /dev/null
++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
++{{{ bash_package_remove("xorg-x11-server-utils") }}}
++{{{ bash_package_remove("xorg-x11-server-common") }}}
++{{% if product not in ["rhel7", "ol7"] %}}
++{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
++{{% endif %}}
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
+deleted file mode 100644
+index ff7d0efda29..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
++++ /dev/null
+@@ -1,4 +0,0 @@
+-#!/bin/bash
+-# platform = Red Hat Enterprise Linux 7
+-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
+-
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
+deleted file mode 100644
+index d8ecd8c7361..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-# platform = Red Hat Enterprise Linux 7
+-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
+-
+-systemctl set-default graphical.target
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
+deleted file mode 100644
+index 14f1a97bc4f..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
++++ /dev/null
+@@ -1,4 +0,0 @@
+-#!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
+-
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
+deleted file mode 100644
+index c678ef711d9..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
+-
+-systemctl set-default graphical.target
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
+deleted file mode 100644
+index bf8a615b1dc..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-
+-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+-
+-systemctl set-default graphical.target
+diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
+deleted file mode 100644
+index 652088b85ae..00000000000
+--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-
+-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+-
+-ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch

@@ -0,0 +1,685 @@
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+index dac47a1c6d1..3a6167a5717 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+@@ -39,7 +39,7 @@ references:
+     nist: CM-5(6),CM-5(6).1
+     srg: SRG-OS-000259-GPOS-00100
+     stigid@ol8: OL08-00-010350
+-    stigid@rhel8: RHEL-08-010350
++    stigid@rhel8: RHEL-08-010351
+     stigid@sle12: SLES-12-010876
+     stigid@sle15: SLES-15-010356
+     stigid@ubuntu2004: UBTU-20-010431
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+index 50fdb17bd2e..6a05a2b82ea 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+ 
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
+new file mode 100644
+index 00000000000..6a05a2b82ea
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
++
++DIRS="/lib /lib64 /usr/lib /usr/lib64"
++for dirPath in $DIRS; do
++	find "$dirPath" -type d -exec chgrp root '{}' \;
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
+new file mode 100644
+index 00000000000..36461f5e5c3
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
++
++DIRS="/lib /lib64 /usr/lib /usr/lib64"
++for dirPath in $DIRS; do
++	mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
+new file mode 100644
+index 00000000000..3f09e3dd018
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
++
++DIRS="/lib /lib64 /usr/lib /usr/lib64"
++for dirPath in $DIRS; do
++	mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+index 043ad6b2dee..36461f5e5c3 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+ 
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+index e2362388678..ba923d8ac55 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+@@ -27,7 +27,7 @@ references:
+     srg: SRG-OS-000258-GPOS-00099
+     stigid@ubuntu2004: UBTU-20-010424
+ 
+-ocil_clause: 'any system exectables directories are found to not be owned by root'
++ocil_clause: 'any system executables directories are found to not be owned by root'
+ 
+ ocil: |-
+     System executables are stored in the following directories by default:
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
+deleted file mode 100644
+index 28e193f827c..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
++++ /dev/null
+@@ -1,28 +0,0 @@
+-<def-group>
+-  <definition class="compliance" id="dir_ownership_library_dirs" version="1">
+-    {{{ oval_metadata("
+-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+-        directories therein, are owned by root.
+-      ") }}}
+-    <criteria operator="AND">
+-      <criterion test_ref="test_dir_ownership_lib_dir" />
+-    </criteria>
+-  </definition>
+-
+-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">
+-    <unix:object object_ref="object_dir_ownership_lib_dir" />
+-  </unix:file_test>
+-
+-
+-  <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">
+-    <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
+-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
+-    <unix:filename xsi:nil="true" />
+-    <filter action="include">state_owner_library_dirs_not_root</filter>
+-  </unix:file_object>
+-
+-  <unix:file_state id="state_owner_library_dirs_not_root" version="1">
+-    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+-  </unix:file_state>
+-
+-</def-group>
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
+index d6a0beddf6e..f0781b307b3 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
+@@ -27,6 +27,8 @@ rationale: |-
+ severity: medium
+ 
+ identifiers:
++    cce@rhel8: CCE-89021-0
++    cce@rhel9: CCE-89022-8
+     cce@sle12: CCE-83236-0
+     cce@sle15: CCE-85735-9
+ 
+@@ -34,6 +36,7 @@ references:
+     disa: CCI-001499
+     nist: CM-5(6),CM-5(6).1
+     srg: SRG-OS-000259-GPOS-00100
++    stigid@rhel8: RHEL-08-010341
+     stigid@sle12: SLES-12-010874
+     stigid@sle15: SLES-15-010354
+     stigid@ubuntu2004: UBTU-20-010429
+@@ -49,3 +52,14 @@ ocil: |-
+     For each of these directories, run the following command to find files not
+     owned by root:
+     <pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chown root {} \;</pre>
++
++template:
++    name: file_owner
++    vars:
++        filepath:
++            - /lib/
++            - /lib64/
++            - /usr/lib/
++            - /usr/lib64/
++        recursive: 'true'
++        fileuid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
+similarity index 69%
+rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
+index 01891664f64..a0d4990582e 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_rhel
+ DIRS="/lib /lib64 /usr/lib /usr/lib64"
+ for dirPath in $DIRS; do
+ 	find "$dirPath" -type d -exec chown root '{}' \;
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
+similarity index 63%
+rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
+rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
+index 59b8a1867eb..f366c2d7922 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
+@@ -1,4 +1,5 @@
+-# platform = multi_platform_sle
++# platform = multi_platform_sle,multi_platform_rhel
++groupadd nogroup
+ DIRS="/lib /lib64"
+ for dirPath in $DIRS; do
+ 	mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
+index a0e4e24b4f4..add26b2e778 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
+@@ -1,8 +1,8 @@
+ <def-group>
+   <definition class="compliance" id="dir_permissions_library_dirs" version="1">
+     {{{ oval_metadata("
+-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+-        objects therein, are not group-writable or world-writable.
++        Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64
++        are not group-writable or world-writable.
+       ") }}}
+     <criteria operator="AND">
+       <criterion test_ref="dir_test_perms_lib_dir" />
+@@ -19,7 +19,7 @@
+     <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+     <unix:filename xsi:nil="true" />
+     <filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
+-    <filter action="exclude">dir_perms_state_symlink</filter>
++    <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>
+   </unix:file_object>
+ 
+   <unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
+@@ -27,7 +27,7 @@
+     <unix:owrite datatype="boolean">true</unix:owrite>
+   </unix:file_state>
+ 
+-  <unix:file_state id="dir_perms_state_symlink" version="1">
++  <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">
+     <unix:type operation="equals">symbolic link</unix:type>
+   </unix:file_state>
+ 
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+index db89a5e47a1..6e62e8c6bbf 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+@@ -60,3 +60,14 @@ ocil: |-
+     To find shared libraries that are group-writable or world-writable,
+     run the following command for each directory <i>DIR</i> which contains shared libraries:
+     <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
++
++template:
++    name: file_permissions
++    vars:
++        filepath:
++            - /lib/
++            - /lib64/
++            - /usr/lib/
++            - /usr/lib64/
++        recursive: 'true'
++        filemode: '0755'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
+index 6b3a2905068..eec7485f90c 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
++# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
+ # reboot = false
+ # strategy = restrict
+ # complexity = medium
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+index a9e8c7d8e25..e352dd34a67 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
++# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+ 
+ for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+ do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
+deleted file mode 100644
+index de81a3703b4..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
++++ /dev/null
+@@ -1,18 +0,0 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
+-# reboot = false
+-# strategy = restrict
+-# complexity = medium
+-# disruption = medium
+-- name: "Read list libraries without root ownership"
+-  command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"
+-  register: libraries_not_owned_by_root
+-  changed_when: False
+-  failed_when: False
+-  check_mode: no
+-
+-- name: "Set ownership of system libraries to root"
+-  file:
+-    path: "{{ item }}"
+-    owner: "root"
+-  with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"
+-  when: libraries_not_owned_by_root | length > 0
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
+deleted file mode 100644
+index c75167d2fe7..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
++++ /dev/null
+@@ -1,8 +0,0 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
+-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
+-do
+-  if [ -d $LIBDIR ]
+-  then
+-    find -L $LIBDIR \! -user root -exec chown root {} \; 
+-  fi
+-done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
+deleted file mode 100644
+index 59ee3d82a21..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
++++ /dev/null
+@@ -1,39 +0,0 @@
+-<def-group>
+-  <definition class="compliance" id="file_ownership_library_dirs" version="1">
+-    {{{ oval_metadata("
+-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+-        objects therein, are owned by root.
+-      ") }}}
+-    <criteria operator="AND">
+-      <criterion test_ref="test_ownership_lib_dir" />
+-      <criterion test_ref="test_ownership_lib_files" />
+-    </criteria>
+-  </definition>
+-
+-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">
+-    <unix:object object_ref="object_file_ownership_lib_dir" />
+-  </unix:file_test>
+-
+-  <unix:file_test  check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">
+-    <unix:object object_ref="object_file_ownership_lib_files" />
+-  </unix:file_test>
+-
+-  <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">
+-    <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
+-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
+-    <unix:filename xsi:nil="true" />
+-    <filter action="include">state_owner_libraries_not_root</filter>
+-  </unix:file_object>
+-
+-  <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
+-    <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
+-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
+-    <unix:filename operation="pattern match">^.*$</unix:filename>
+-   <filter action="include">state_owner_libraries_not_root</filter>
+-  </unix:file_object>
+-
+-  <unix:file_state id="state_owner_libraries_not_root" version="1">
+-    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
+-  </unix:file_state>
+-
+-</def-group>
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+index d80681c1e65..b6bc18e8310 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+@@ -60,3 +60,14 @@ ocil: |-
+     For each of these directories, run the following command to find files not
+     owned by root:
+     <pre>$ sudo find -L <i>$DIR</i> ! -user root -exec chown root {} \;</pre>
++
++template:
++    name: file_owner
++    vars:
++        filepath:
++            - /lib/
++            - /lib64/
++            - /usr/lib/
++            - /usr/lib64/
++        file_regex: ^.*$
++        fileuid: '0'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
+new file mode 100644
+index 00000000000..92c6a0889d4
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
+@@ -0,0 +1,9 @@
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
++
++for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
++do
++    if [[ -d $SYSLIBDIRS  ]]
++    then
++        find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;
++    fi
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
+new file mode 100644
+index 00000000000..84da71f45f7
+--- /dev/null
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
+@@ -0,0 +1,11 @@
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
++
++useradd user_test
++for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
++do
++   if [[ ! -f $TESTFILE ]]
++   then
++     touch $TESTFILE
++   fi
++   chown user_test $TESTFILE
++done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
+deleted file mode 100644
+index cf9eebace8b..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
++++ /dev/null
+@@ -1,18 +0,0 @@
+-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
+-# reboot = false
+-# strategy = restrict
+-# complexity = high
+-# disruption = medium
+-- name: "Read list of world and group writable files in libraries directories"
+-  command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"
+-  register: world_writable_library_files
+-  changed_when: False
+-  failed_when: False
+-  check_mode: no
+-
+-- name: "Disable world/group writability to library files"
+-  file:
+-    path: "{{ item }}"
+-    mode: "go-w"
+-  with_items: "{{ world_writable_library_files.stdout_lines }}"
+-  when: world_writable_library_files.stdout_lines | length > 0
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
+deleted file mode 100644
+index af04ad625d3..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-# platform = multi_platform_all
+-DIRS="/lib /lib64 /usr/lib /usr/lib64"
+-for dirPath in $DIRS; do
+-	find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
+-done
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
+deleted file mode 100644
+index f25c52260c4..00000000000
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
++++ /dev/null
+@@ -1,46 +0,0 @@
+-<def-group>
+-  <definition class="compliance" id="file_permissions_library_dirs" version="1">
+-    {{{ oval_metadata("
+-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+-        objects therein, are not group-writable or world-writable.
+-      ") }}}
+-    <criteria operator="AND">
+-      <criterion test_ref="test_perms_lib_dir" />
+-      <criterion test_ref="test_perms_lib_files" />
+-    </criteria>
+-  </definition>
+-
+-  <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">
+-    <unix:object object_ref="object_file_permissions_lib_dir" />
+-  </unix:file_test>
+-
+-  <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">
+-    <unix:object object_ref="object_file_permissions_lib_files" />
+-  </unix:file_test>
+-
+-  <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">
+-    <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
+-    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+-    <unix:filename xsi:nil="true" />
+-    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+-    <filter action="exclude">perms_state_symlink</filter>
+-  </unix:file_object>
+-
+-  <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">
+-    <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
+-    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+-    <unix:filename operation="pattern match">^.*$</unix:filename>
+-    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
+-    <filter action="exclude">perms_state_symlink</filter>
+-  </unix:file_object>
+-
+-  <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
+-    <unix:gwrite datatype="boolean">true</unix:gwrite>
+-    <unix:owrite datatype="boolean">true</unix:owrite>
+-  </unix:file_state>
+-
+-  <unix:file_state id="perms_state_symlink" version="1">
+-    <unix:type operation="equals">symbolic link</unix:type>
+-  </unix:file_state>
+-
+-</def-group>
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+index 9a07e76929e..5a708cf78c3 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+@@ -61,3 +61,14 @@ ocil: |-
+     To find shared libraries that are group-writable or world-writable,
+     run the following command for each directory <i>DIR</i> which contains shared libraries:
+     <pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>
++
++template:
++    name: file_permissions
++    vars:
++        filepath:
++            - /lib/
++            - /lib64/
++            - /usr/lib/
++            - /usr/lib64/
++        file_regex: ^.*$
++        filemode: '0755'
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
+similarity index 100%
+rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
+rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+index eaf04c8d36c..ec135b5279c 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
+ 
+ title: |-
+     Verify the system-wide library files in directories
+-    "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
++    "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
+ 
+ description: |-
+     System-wide library files are stored in the following directories
+@@ -15,7 +15,7 @@ description: |-
+     /usr/lib64
+     </pre>
+     All system-wide shared library files should be protected from unauthorised
+-    access. If any of these files is not owned by root, correct its owner with
++    access. If any of these files is not group-owned by root, correct its group-owner with
+     the following command:
+     <pre>$ sudo chgrp root <i>FILE</i></pre>
+ 
+@@ -48,7 +48,7 @@ references:
+     stigid@sle15: SLES-15-010355
+     stigid@ubuntu2004: UBTU-20-01430
+ 
+-ocil_clause: 'system wide library files are not group owned by root'
++ocil_clause: 'system wide library files are not group-owned by root'
+ 
+ ocil: |-
+     System-wide library files are stored in the following directories:
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+index 0e982c3b8ca..5356d3742d3 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+ 
+ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+ do
+diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+index 23a7703f57d..7352b60aa4b 100644
+--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
++# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+ 
+ groupadd group_test
+ for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index ff23f83cfbf..88b3a7e3783 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -235,8 +235,13 @@ selections:
+     # RHEL-08-010340
+     - file_ownership_library_dirs
+ 
++    # RHEL-08-010341
++    - dir_ownership_library_dirs
++
+     # RHEL-08-010350
+     - root_permissions_syslibrary_files
++
++    # RHEL-08-010351
+     - dir_group_ownership_library_dirs
+ 
+     # RHEL-08-010360
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 8cc6d132591..65465be2c07 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -236,8 +236,13 @@ selections:
+     # RHEL-08-010340
+     - file_ownership_library_dirs
+ 
++    # RHEL-08-010341
++    - dir_ownership_library_dirs
++
+     # RHEL-08-010350
+     - root_permissions_syslibrary_files
++
++    # RHEL-08-010351
+     - dir_group_ownership_library_dirs
+ 
+     # RHEL-08-010360
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 8aad24b20f7..eb3f17f4f3d 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -2957,8 +2957,6 @@ CCE-89017-8
+ CCE-89018-6
+ CCE-89019-4
+ CCE-89020-2
+-CCE-89021-0
+-CCE-89022-8
+ CCE-89023-6
+ CCE-89024-4
+ CCE-89025-1
+diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
+index 68fc2e1e17e..0b4ab594155 100644
+--- a/shared/templates/file_groupowner/ansible.template
++++ b/shared/templates/file_groupowner/ansible.template
+@@ -12,6 +12,7 @@
+     paths: "{{{ path }}}"
+     patterns: {{{ FILE_REGEX[loop.index0] }}}
+     use_regex: yes
++    hidden: yes
+   register: files_found
+ 
+ - name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
+diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
+index fd2e5db5d93..64a494471a8 100644
+--- a/shared/templates/file_groupowner/oval.template
++++ b/shared/templates/file_groupowner/oval.template
+@@ -45,6 +45,10 @@
+     {{%- else %}}
+       <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
+     {{%- endif %}}
++    <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>
+   </unix:file_object>
+   {{% endfor %}}
++  <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
++    <unix:type operation="equals">symbolic link</unix:type>
++  </unix:file_state>
+ </def-group>
+diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
+index 590c9fc6055..dba9e65a277 100644
+--- a/shared/templates/file_owner/ansible.template
++++ b/shared/templates/file_owner/ansible.template
+@@ -12,6 +12,7 @@
+     paths: "{{{ path }}}"
+     patterns: {{{ FILE_REGEX[loop.index0] }}}
+     use_regex: yes
++    hidden: yes
+   register: files_found
+ 
+ - name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
+diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
+index 105e29c81c8..777831d790d 100644
+--- a/shared/templates/file_owner/oval.template
++++ b/shared/templates/file_owner/oval.template
+@@ -44,6 +44,10 @@
+     {{%- else %}}
+       <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
+     {{%- endif %}}
++    <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>
+   </unix:file_object>
+   {{% endfor %}}
++  <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
++    <unix:type operation="equals">symbolic link</unix:type>
++  </unix:file_state>
+ </def-group>
+diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
+index fc211bdc4c3..6d4dedcee51 100644
+--- a/shared/templates/file_permissions/ansible.template
++++ b/shared/templates/file_permissions/ansible.template
+@@ -12,6 +12,7 @@
+     paths: "{{{ path }}}"
+     patterns: {{{ FILE_REGEX[loop.index0] }}}
+     use_regex: yes
++    hidden: yes
+   register: files_found
+ 
+ - name: Set permissions for {{{ path }}} file(s)
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index b5621425b96..c5a9b6a32ad 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -181,6 +181,7 @@ selections:
+ - dconf_gnome_screensaver_idle_delay
+ - dconf_gnome_screensaver_lock_enabled
+ - dir_group_ownership_library_dirs
++- dir_ownership_library_dirs
+ - dir_permissions_library_dirs
+ - dir_perms_world_writable_root_owned
+ - dir_perms_world_writable_sticky_bits
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 31221ed632c..32d195e28aa 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -192,6 +192,7 @@ selections:
+ - dconf_gnome_screensaver_idle_delay
+ - dconf_gnome_screensaver_lock_enabled
+ - dir_group_ownership_library_dirs
++- dir_ownership_library_dirs
+ - dir_permissions_library_dirs
+ - dir_perms_world_writable_root_owned
+ - dir_perms_world_writable_sticky_bits

scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch

@@ -0,0 +1,161 @@
+diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
+index 65bc439225e..fef4679be39 100644
+--- a/docs/templates/template_reference.md
++++ b/docs/templates/template_reference.md
+@@ -2,17 +2,20 @@
+ 
+ #### accounts_password
+ -   Checks if PAM enforces password quality requirements. Checks the
+-    configuration in `/etc/pam.d/system-auth` (for RHEL 6 systems) or
+-    `/etc/security/pwquality.conf` (on other systems).
++    configuration in `/etc/security/pwquality.conf`.
+ 
+ -   Parameters:
+ 
+-    -   **variable** - PAM `pam_cracklib` (on RHEL 6) or `pam_pwquality`
+-        (on other systems) module name, eg. `ucredit`, `ocredit`
++    -   **variable** - PAM `pam_pwquality` password quality
++        requirement, eg. `ucredit`, `ocredit`
+ 
+     -   **operation** - OVAL operation, eg. `less than or equal`
+ 
+--   Languages: OVAL
++    -   **zero_comparison_operation** - (optional) OVAL operation, eg. `greater than`.
++        When set, it will test if the **variable** value matches the OVAL operation
++        when compared to zero.
++
++-   Languages: Ansible, Bash, OVAL
+ 
+ #### auditd_lineinfile
+ -   Checks configuration options of the Audit Daemon in
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+index 912c783650a..9a829ac5119 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+@@ -47,7 +47,7 @@ ocil_clause: 'that is not the case'
+ ocil: |-
+     To check the value for maximum consecutive repeating characters, run the following command:
+     <pre>$ grep maxclassrepeat /etc/security/pwquality.conf</pre>
+-    For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
++    For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
+ 
+ platform: pam
+ 
+@@ -56,3 +56,4 @@ template:
+     vars:
+         variable: maxclassrepeat
+         operation: less than or equal
++        zero_comparison_operation: greater than
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
+new file mode 100644
+index 00000000000..5d91559d4a2
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
++	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
++else
++	echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
++fi
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
+new file mode 100644
+index 00000000000..4bd8070eb7e
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
++	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
++else
++	echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
++fi
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
+new file mode 100644
+index 00000000000..61538a4945f
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
++	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
++else
++	echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
+new file mode 100644
+index 00000000000..2218250ec7b
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
++	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
++else
++	echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
++fi
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
+new file mode 100644
+index 00000000000..780873c6a86
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
++	sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
++else
++	echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
++fi
++
+diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
+index 332a2800317..b995db11ea4 100644
+--- a/shared/templates/accounts_password/oval.template
++++ b/shared/templates/accounts_password/oval.template
+@@ -7,11 +7,14 @@
+     </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all"
++  <ind:textfilecontent54_test check="all" state_operator="AND"
+   comment="check the configuration of /etc/security/pwquality.conf"
+   id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
+     <ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
+     <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
++  {{%- if ZERO_COMPARISON_OPERATION %}}
++    <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
++  {{%- endif %}}
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
+@@ -24,5 +27,11 @@
+     <ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
+   </ind:textfilecontent54_state>
+ 
++  {{%- if ZERO_COMPARISON_OPERATION %}}
++  <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
++    <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
++  </ind:textfilecontent54_state>
++  {{%- endif %}}
++
+   <external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
+ </def-group>
+diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
+index 65c25ec7991..ab849d1fa72 100644
+--- a/shared/templates/accounts_password/template.py
++++ b/shared/templates/accounts_password/template.py
+@@ -1,4 +1,7 @@
++from ssg.utils import parse_template_boolean_value
++
+ def preprocess(data, lang):
+     if lang == "oval":
+         data["sign"] = "-?" if data["variable"].endswith("credit") else ""
++    data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
+     return data

scap-security-guide.spec

@@ -2,16 +2,55 @@
 # For more details see:
 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
 %global _vpath_builddir build
+%global _default_patch_fuzz 2
 
 Name:		scap-security-guide
 Version:	0.1.60
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 BuildArch:	noarch
 
+# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
+Patch0:		scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
+Patch1:		scap-security-guide-0.1.61-file_owner-PR_7789.patch
+Patch2:		scap-security-guide-0.1.61-file_permissions-PR_7788.patch
+Patch3:		scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch
+Patch4:		scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch
+Patch5:		scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
+Patch6:		scap-security-guide-0.1.61-RC_277_245-PR_8069.patch
+Patch7:		scap-security-guide-0.1.61-RC_248_249-PR_8071.patch
+Patch8:		scap-security-guide-0.1.61-RC_251-PR_8072.patch
+Patch9:		scap-security-guide-0.1.61-RC_246_250-PR_8070.patch
+Patch10:	scap-security-guide-0.1.61-RC_247-PR_8114.patch
+Patch11:	scap-security-guide-0.1.61-RC_254-PR_8113.patch
+Patch12:	scap-security-guide-0.1.61-RC_253-PR_8111.patch
+Patch13:	scap-security-guide-0.1.61-RC_255-PR_8112.patch
+Patch14:	scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch
+Patch15:	scap-security-guide-0.1.61-RC_244-PR_8133.patch
+Patch16:	scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch
+Patch17:	scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
+Patch18:	scap-security-guide-0.1.61-remove_RHEL_08_010560-PR_8145.patch
+Patch19:	scap-security-guide-0.1.61-add_RHEL_08_040321-PR_8169.patch
+Patch20:	scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch
+Patch21:	scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch
+Patch22:	scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch
+Patch23:	scap-security-guide-0.1.61-update_RHEL_08_010030-PR_8183.patch
+Patch24:	scap-security-guide-0.1.61-selinux_state_rhel8_anssi_enhanced-PR_8182.patch
+Patch25:	scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch
+Patch26:	scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch
+Patch27:	scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch
+Patch28:	scap-security-guide-0.1.61-pwquality-PR_8185.patch
+Patch29:	scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch
+Patch30:	scap-security-guide-0.1.61-rhel86_ospp_fix_audit_ospp_general-PR_8152.patch
+Patch31:	scap-security-guide-0.1.61-ospp-remove-kernel-disable-rules-PR_8093.patch
+Patch32:	scap-security-guide-0.1.61-ospp-boot-parametersb-PR_8092.patch
+Patch33:	scap-security-guide-0.1.61-ospp-audit.conf-rules-PR_8188.patch
+Patch34:	scap-security-guide-0.1.61-distributed-sshd-rekeylimit-PR_8148.patch
+Patch35:	scap-security-guide-0.1.61-supported-rhel9-PR_8202.patch
+
 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
@@ -97,6 +136,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
+- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
+
 * Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
 - Rebase to a new upstream release (RHBZ#2014561)