Deliver numerous RHEL9 fixes to rules

Deliver ISM kickstarts

Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
Resolves: rhbz#1978290

scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch

@@ -0,0 +1,31 @@
+From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 16 Aug 2021 15:26:00 +0200
+Subject: [PATCH] Remove a spurious whitespace trim
+
+The first line of the if- block ended up in the metadata comment.
+---
+ .../disable_ctrlaltdel_reboot/bash/shared.sh                | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+index 4cbf5c8465..610da67668 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+@@ -1,8 +1,8 @@
+ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
+-{{%- if init_system == "systemd" -%}}
++{{% if init_system == "systemd" -%}}
+ systemctl disable --now ctrl-alt-del.target
+ systemctl mask --now ctrl-alt-del.target
+-{{%- else -%}}
++{{%- else %}}
+ # If system does not contain control-alt-delete.override,
+ if [ ! -f /etc/init/control-alt-delete.override ]; then
+ 	# but does have control-alt-delete.conf file,
+@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then
+ 	fi
+ fi
+ sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override
+-{{%- endif -%}}
++{{%- endif %}}

scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch

@@ -0,0 +1,28 @@
+From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 3 Aug 2021 16:50:23 +0200
+Subject: [PATCH] add details about gpgkey package for rhel9
+
+---
+ products/rhel9/product.yml | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
+index 78c65fd805..4ceb332adf 100644
+--- a/products/rhel9/product.yml
++++ b/products/rhel9/product.yml
+@@ -13,10 +13,10 @@ init_system: "systemd"
+ dconf_gdm_dir: "distro.d"
+ 
+ # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+-pkg_release: ""
+-pkg_version: ""
+-aux_pkg_release: ""
+-aux_pkg_version: ""
++pkg_release: "4ae0493b"
++pkg_version: "fd431d51"
++aux_pkg_release: "5b32db75"
++aux_pkg_version: "d4082792"
+ 
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"

scap-security-guide-0.1.58-ism_ks-PR_7392.patch

@@ -0,0 +1,256 @@
+From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 16 Aug 2021 13:08:10 +0200
+Subject: [PATCH] Add ISM Official kickstarts
+
+---
+ .../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg    | 116 ++++++++++++++++++
+ .../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg    | 116 ++++++++++++++++++
+ 2 files changed, 232 insertions(+)
+ create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
+ create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
+
+diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
+new file mode 100644
+index 0000000000..d84d98b12d
+--- /dev/null
++++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
+@@ -0,0 +1,116 @@
++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server
++# Version: 0.0.1
++# Date: 2021-08-16
++#
++# Based on:
++# https://pykickstart.readthedocs.io/en/latest/
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
++
++# Specify installation method to use for installation
++# To use a different one comment out the 'url' one below, update
++# the selected choice with proper options & un-comment it
++#
++# Install from an installation tree on a remote server via FTP or HTTP:
++# --url		the URL to install from
++#
++# Example:
++#
++# url --url=http://192.168.122.1/image
++#
++# Modify concrete URL in the above example appropriately to reflect the actual
++# environment machine is to be installed in
++#
++# Other possible / supported installation methods:
++# * install from the first CD-ROM/DVD drive on the system:
++#
++# cdrom
++#
++# * install from a directory of ISO images on a local drive:
++#
++# harddrive --partition=hdb2 --dir=/tmp/install-tree
++#
++# * install from provided NFS server:
++#
++# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
++#
++
++# Set language to use during installation and the default language to use on the installed system (required)
++lang en_US.UTF-8
++
++# Set system keyboard type / layout (required)
++keyboard us
++
++# Configure network information for target system and activate network devices in the installer environment (optional)
++# --onboot	enable device at a boot time
++# --device	device to be activated and / or configured with the network command
++# --bootproto	method to obtain networking configuration for device (default dhcp)
++# --noipv6	disable IPv6 on this device
++#
++#
++network --onboot yes --device eth0 --bootproto dhcp --noipv6
++
++# Set the system's root password (required)
++# Plaintext password is: server
++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
++# encrypted password form for different plaintext password
++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
++
++# The selected profile will restrict root login
++# Add a user that can login and escalate privileges
++# Plaintext password is: admin123
++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
++
++# Configure firewall settings for the system (optional)
++# --enabled	reject incoming connections that are not in response to outbound requests
++# --ssh		allow sshd service through the firewall
++firewall --enabled --ssh
++
++# Set up the authentication options for the system (required)
++# sssd profile sets sha512 to hash passwords
++# passwords are shadowed by default
++# See the manual page for authselect-profile for a complete list of possible options.
++authselect select sssd
++
++# State of SELinux on the installed system (optional)
++# Defaults to enforcing
++selinux --enforcing
++
++# Set the system time zone (required)
++timezone --utc America/New_York
++
++# Specify how the bootloader should be installed (required)
++bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
++
++# Initialize (format) all disks (optional)
++zerombr
++
++# The following partition layout scheme assumes disk of size 20GB or larger
++# Modify size of partitions appropriately to reflect actual machine's hardware
++# 
++# Remove Linux partitions from the system prior to creating new ones (optional)
++# --linux	erase all Linux partitions
++# --initlabel	initialize the disk label to the default based on the underlying architecture
++clearpart --linux --initlabel
++
++# Create primary system partitions (required for installs)
++autopart
++
++# Harden installation with Essential Eight profile
++# For more details and configuration options see
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
++%addon org_fedora_oscap
++        content-type = scap-security-guide
++        profile = xccdf_org.ssgproject.content_profile_ism_o
++%end
++
++# Packages selection (%packages section is required)
++%packages
++
++# Require @Base
++@Base
++
++%end # End of %packages section
++
++# Reboot after the installation is complete (optional)
++# --eject	attempt to eject CD or DVD media before rebooting
++reboot --eject
+diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
+new file mode 100644
+index 0000000000..517919539a
+--- /dev/null
++++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
+@@ -0,0 +1,116 @@
++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server
++# Version: 0.0.1
++# Date: 2021-08-16
++#
++# Based on:
++# https://pykickstart.readthedocs.io/en/latest/
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
++
++# Specify installation method to use for installation
++# To use a different one comment out the 'url' one below, update
++# the selected choice with proper options & un-comment it
++#
++# Install from an installation tree on a remote server via FTP or HTTP:
++# --url		the URL to install from
++#
++# Example:
++#
++# url --url=http://192.168.122.1/image
++#
++# Modify concrete URL in the above example appropriately to reflect the actual
++# environment machine is to be installed in
++#
++# Other possible / supported installation methods:
++# * install from the first CD-ROM/DVD drive on the system:
++#
++# cdrom
++#
++# * install from a directory of ISO images on a local drive:
++#
++# harddrive --partition=hdb2 --dir=/tmp/install-tree
++#
++# * install from provided NFS server:
++#
++# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
++#
++
++# Set language to use during installation and the default language to use on the installed system (required)
++lang en_US.UTF-8
++
++# Set system keyboard type / layout (required)
++keyboard us
++
++# Configure network information for target system and activate network devices in the installer environment (optional)
++# --onboot	enable device at a boot time
++# --device	device to be activated and / or configured with the network command
++# --bootproto	method to obtain networking configuration for device (default dhcp)
++# --noipv6	disable IPv6 on this device
++#
++#
++network --onboot yes --device eth0 --bootproto dhcp --noipv6
++
++# Set the system's root password (required)
++# Plaintext password is: server
++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
++# encrypted password form for different plaintext password
++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
++
++# The selected profile will restrict root login
++# Add a user that can login and escalate privileges
++# Plaintext password is: admin123
++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
++
++# Configure firewall settings for the system (optional)
++# --enabled	reject incoming connections that are not in response to outbound requests
++# --ssh		allow sshd service through the firewall
++firewall --enabled --ssh
++
++# Set up the authentication options for the system (required)
++# sssd profile sets sha512 to hash passwords
++# passwords are shadowed by default
++# See the manual page for authselect-profile for a complete list of possible options.
++authselect select sssd
++
++# State of SELinux on the installed system (optional)
++# Defaults to enforcing
++selinux --enforcing
++
++# Set the system time zone (required)
++timezone --utc America/New_York
++
++# Specify how the bootloader should be installed (required)
++bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
++
++# Initialize (format) all disks (optional)
++zerombr
++
++# The following partition layout scheme assumes disk of size 20GB or larger
++# Modify size of partitions appropriately to reflect actual machine's hardware
++# 
++# Remove Linux partitions from the system prior to creating new ones (optional)
++# --linux	erase all Linux partitions
++# --initlabel	initialize the disk label to the default based on the underlying architecture
++clearpart --linux --initlabel
++
++# Create primary system partitions (required for installs)
++autopart
++
++# Harden installation with Essential Eight profile
++# For more details and configuration options see
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
++%addon com_redhat_oscap
++        content-type = scap-security-guide
++        profile = xccdf_org.ssgproject.content_profile_ism_o
++%end
++
++# Packages selection (%packages section is required)
++%packages
++
++# Require @Base
++@Base
++
++%end # End of %packages section
++
++# Reboot after the installation is complete (optional)
++# --eject	attempt to eject CD or DVD media before rebooting
++reboot --eject

scap-security-guide-0.1.58-s390x_arch-PR_7385.patch

@@ -0,0 +1,186 @@
+From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 12 Aug 2021 15:05:35 +0200
+Subject: [PATCH 1/3] Add cpe platform for s390x arch
+
+---
+ .../guide/system/bootloader-zipl/group.yml    |  2 +-
+ shared/applicability/arch.yml                 | 12 +++++++
+ shared/applicability/general.yml              |  5 ---
+ ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++-----------
+ .../proc_sys_kernel_osrelease_arch_s390x.xml  | 33 +++++++++++++++++++
+ 5 files changed, 48 insertions(+), 26 deletions(-)
+ create mode 100644 shared/applicability/arch.yml
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
+index 64c6c8dffbe..4f8ce753726 100644
+--- a/linux_os/guide/system/bootloader-zipl/group.yml
++++ b/linux_os/guide/system/bootloader-zipl/group.yml
+@@ -8,4 +8,4 @@ description: |-
+     options to it.
+     The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
+ 
+-platform: zipl
++platform: s390x_arch
+diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
+new file mode 100644
+index 00000000000..48b2aa3ef30
+--- /dev/null
++++ b/shared/applicability/arch.yml
+@@ -0,0 +1,12 @@
++cpes:
++
++  - not_s390x_arch:
++      name: "cpe:/a:not_s390x_arch"
++      title: "System architecture is not S390X"
++      check_id: proc_sys_kernel_osrelease_arch_not_s390x
++
++  - s390x_arch:
++      name: "cpe:/a:s390x_arch"
++      title: "System architecture is S390X"
++      check_id: proc_sys_kernel_osrelease_arch_s390x
++
+diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
+index 7382b7dd302..6e3ecfd9bf9 100644
+--- a/shared/applicability/general.yml
++++ b/shared/applicability/general.yml
+@@ -24,11 +24,6 @@ cpes:
+       title: "Package net-snmp is installed"
+       check_id: installed_env_has_net-snmp_package
+ 
+-  - not_s390x_arch:
+-      name: "cpe:/a:not_s390x_arch"
+-      title: "System architecture is not S390X"
+-      check_id: proc_sys_kernel_osrelease_arch_not_s390x
+-
+   - nss-pam-ldapd:
+       name: "cpe:/a:nss-pam-ldapd"
+       title: "Package nss-pam-ldapd is installed"
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+index 1fc625a1e75..d95ce249c49 100644
+--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+@@ -9,26 +9,8 @@
+       <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>
+     </metadata>
+     <criteria>
+-      <criterion comment="Architecture is not s390x"
+-      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
++      <extend_definition comment="Architecture is not s390x"
++      definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
+     </criteria>
+   </definition>
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+-      comment="proc_sys_kernel is for s390x architecture"
+-      id="test_proc_sys_kernel_osrelease_arch_s390x"
+-  version="1">
+-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
+-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
+-  </ind:textfilecontent54_test>
+-
+-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
+-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-  </ind:textfilecontent54_object>
+-
+-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
+-    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
+-  </ind:textfilecontent54_state>
+-
+ </def-group>
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+new file mode 100644
+index 00000000000..abc6f1b0b88
+--- /dev/null
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+@@ -0,0 +1,33 @@
++<def-group>
++  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
++  version="1">
++    <metadata>
++      <title>Test for different architecture than s390x</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
++    </metadata>
++    <criteria>
++      <criterion comment="Architecture is s390x"
++      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++      comment="proc_sys_kernel is for s390x architecture"
++      id="test_proc_sys_kernel_osrelease_arch_s390x"
++  version="1">
++    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
++    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
++    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
++    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
++    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
++  </ind:textfilecontent54_state>
++</def-group>
+
+From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 12 Aug 2021 16:16:11 +0200
+Subject: [PATCH 2/3] Remove zipl CPE platform
+
+The package names for zipl changed recently.
+As zipl is an s390 exclusive, lets use the arch check instead of
+package name check.
+---
+ shared/applicability/bootloaders.yml | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml
+index 57832118447..6856578621c 100644
+--- a/shared/applicability/bootloaders.yml
++++ b/shared/applicability/bootloaders.yml
+@@ -4,8 +4,3 @@ cpes:
+       name: "cpe:/a:grub2"
+       title: "Package grub2 is installed"
+       check_id: installed_env_has_grub2_package
+-
+-  - zipl:
+-      name: "cpe:/a:zipl"
+-      title: "System uses zipl"
+-      check_id: installed_env_has_zipl_package
+
+From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001
+From: Watson Yuuma Sato <wsato@redhat.com>
+Date: Tue, 17 Aug 2021 19:53:59 +0200
+Subject: [PATCH 3/3] Fix typo in check title
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+
+Co-authored-by: Jan Černý <jcerny@redhat.com>
+---
+ shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+index abc6f1b0b88..7f416de6475 100644
+--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+@@ -2,7 +2,7 @@
+   <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
+   version="1">
+     <metadata>
+-      <title>Test for different architecture than s390x</title>
++      <title>Test that the architecture is s390x</title>
+       <affected family="unix">
+         <platform>multi_platform_all</platform>
+       </affected>

scap-security-guide-0.1.58-various_fixes-PR_7335.patch

@@ -0,0 +1,942 @@
+From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Fri, 30 Jul 2021 16:57:13 +0200
+Subject: [PATCH 1/5] Enable more RHEL9 content
+
+---
+ .../ssh/ssh_client/ssh_client_rekey_limit/rule.yml        | 3 ++-
+ .../disable_ctrlaltdel_burstaction/bash/shared.sh         | 2 +-
+ .../disable_ctrlaltdel_reboot/bash/shared.sh              | 4 ----
+ .../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
+ .../smart_card_login/service_pcscd_enabled/rule.yml       | 3 ++-
+ .../root_logins/use_pam_wheel_for_su/rule.yml             | 3 ++-
+ .../user_umask/accounts_umask_etc_csh_cshrc/rule.yml      | 3 ++-
+ .../installed_OS_is_FIPS_certified/oval/shared.xml        | 1 +
+ .../rule.yml                                              | 3 ++-
+ products/rhel9/profiles/hipaa.profile                     | 6 +++---
+ products/rhel9/profiles/ospp.profile                      | 8 ++++----
+ products/rhel9/profiles/pci-dss.profile                   | 4 ++--
+ shared/references/cce-redhat-avail.txt                    | 6 ------
+ 13 files changed, 23 insertions(+), 26 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+index f43f92c2f15..c0fbe2c5e34 100644
+--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol8,rhel8,rhcos4
++prodtype: ol8,rhel8,rhel9,rhcos4
+ 
+ title: 'Configure session renegotiation for SSH client'
+ 
+@@ -27,6 +27,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel8: CCE-82880-6
++    cce@rhel9: CCE-87522-9
+ 
+ references:
+     disa: CCI-000068
+diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+index 7d4faedfb47..d8063726fb4 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
++# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+ 
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+index 94767ad5993..4cbf5c84651 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+@@ -1,9 +1,5 @@
+ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
+ {{%- if init_system == "systemd" -%}}
+-{{% if product in ["rhel7", "rhel8"] %}}
+-# The process to disable ctrl+alt+del has changed in RHEL7. 
+-# Reference: https://access.redhat.com/solutions/1123873
+-{{% endif %}}
+ systemctl disable --now ctrl-alt-del.target
+ systemctl mask --now ctrl-alt-del.target
+ {{%- else -%}}
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+index 0652fbeadaf..9c6534cf401 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+ 
+ title: 'Install the pcsc-lite package'
+ 
+@@ -16,6 +16,7 @@ severity: medium
+ identifiers:
+     cce@rhel7: CCE-82347-6
+     cce@rhel8: CCE-80993-9
++    cce@rhel9: CCE-86280-5
+ 
+ references:
+     disa: CCI-001954
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+index e14db48c22a..6472ade5791 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
+ 
+ title: 'Enable the pcscd Service'
+ 
+@@ -24,6 +24,7 @@ severity: medium
+ identifiers:
+     cce@rhel7: CCE-80569-7
+     cce@rhel8: CCE-80881-6
++    cce@rhel9: CCE-87907-2
+ 
+ references:
+     disa: CCI-001954
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+index a6862c2af25..984a8cf333e 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
+ 
+ title: 'Enforce usage of pam_wheel for su authentication'
+ 
+@@ -20,6 +20,7 @@ severity: medium
+ identifiers:
+     cce@rhel7: CCE-85855-5
+     cce@rhel8: CCE-83318-6
++    cce@rhel9: CCE-90085-2
+ 
+ references:
+     cis@rhel7: "5.7"
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+index 1b71c7d3acd..3779b396b4e 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
+ 
+ title: 'Ensure the Default C Shell Umask is Set Correctly'
+ 
+@@ -20,6 +20,7 @@ identifiers:
+     cce@rhcos4: CCE-84261-7
+     cce@rhel7: CCE-80203-3
+     cce@rhel8: CCE-81037-4
++    cce@rhel9: CCE-87721-7
+ 
+ references:
+     cis-csc: '18'
+diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+index a65bec7348c..3a4847ff9d8 100644
+--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+@@ -6,6 +6,7 @@
+     <criteria comment="Installed operating system is a certified operating system" operator="OR">
+       <extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
+       <extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
++      <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
+       <extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
+       <extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
+       <extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
+diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+index 8b6577226fb..4f49b3b825d 100644
+--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel8
++prodtype: rhel8,rhel9
+ 
+ title: 'Install dnf-plugin-subscription-manager Package'
+ 
+@@ -17,6 +17,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel8: CCE-82315-3
++    cce@rhel9: CCE-89879-1
+ 
+ references:
+     ism: 0940,1144,1467,1472,1483,1493,1494,1495
+diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
+index 1e0ea047b98..797c62708e2 100644
+--- a/products/rhel9/profiles/hipaa.profile
++++ b/products/rhel9/profiles/hipaa.profile
+@@ -33,9 +33,9 @@ selections:
+     - require_singleuser_auth
+     - restrict_serial_port_logins
+     - securetty_root_login_console_only
+-    - service_debug-shell_disabled  # not supported in RHEL9 ATM
+-    - disable_ctrlaltdel_reboot  # not supported in RHEL9 ATM
+-    - disable_ctrlaltdel_burstaction  # not supported in RHEL9 ATM
++    - service_debug-shell_disabled
++    - disable_ctrlaltdel_reboot
++    - disable_ctrlaltdel_burstaction
+     - dconf_db_up_to_date
+     - dconf_gnome_remote_access_credential_prompt
+     - dconf_gnome_remote_access_encryption
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 0ae391c60bf..adec0cbd774 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -107,7 +107,7 @@ selections:
+     - var_accounts_user_umask=027
+     - accounts_umask_etc_profile
+     - accounts_umask_etc_bashrc
+-#    - accounts_umask_etc_csh_cshrc  # not supported in RHEL9 ATM
++    - accounts_umask_etc_csh_cshrc
+ 
+     ### Software update
+     - ensure_redhat_gpgkey_installed
+@@ -177,7 +177,7 @@ selections:
+     - package_aide_installed
+     - package_dnf-automatic_installed
+     - package_subscription-manager_installed
+-#    - package_dnf-plugin-subscription-manager_installed  # not supported in RHEL9 ATM
++    - package_dnf-plugin-subscription-manager_installed
+     - package_firewalld_installed
+     - package_openscap-scanner_installed
+     - package_policycoreutils_installed
+@@ -221,7 +221,7 @@ selections:
+     - securetty_root_login_console_only
+     - var_password_pam_unix_remember=5
+     - accounts_password_pam_unix_remember
+-#    - use_pam_wheel_for_su  # not supported in RHEL9 ATM
++    - use_pam_wheel_for_su
+ 
+     ### SELinux Configuration
+     - var_selinux_state=enforcing
+@@ -422,7 +422,7 @@ selections:
+     - kerberos_disable_no_keytab
+ 
+     # set ssh client rekey limit
+-#    - ssh_client_rekey_limit  # not supported in RHEL9 ATM
++    - ssh_client_rekey_limit
+     - var_ssh_client_rekey_limit_size=1G
+     - var_ssh_client_rekey_limit_time=1hour
+ 
+diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
+index af347501989..1fe85d39ae0 100644
+--- a/products/rhel9/profiles/pci-dss.profile
++++ b/products/rhel9/profiles/pci-dss.profile
+@@ -121,8 +121,8 @@ selections:
+     - var_smartcard_drivers=cac
+     - configure_opensc_card_drivers
+     - force_opensc_card_drivers
+-#    - package_pcsc-lite_installed  # not supported in RHEL9 ATM
+-#    - service_pcscd_enabled  # not supported in RHEL9 ATM
++    - package_pcsc-lite_installed
++    - service_pcscd_enabled
+     - sssd_enable_smartcards
+     - set_password_hashing_algorithm_systemauth
+     - set_password_hashing_algorithm_logindefs
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index aa0b30da834..e78838a45aa 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -396,7 +396,6 @@ CCE-86276-3
+ CCE-86277-1
+ CCE-86278-9
+ CCE-86279-7
+-CCE-86280-5
+ CCE-86281-3
+ CCE-86282-1
+ CCE-86283-9
+@@ -1618,7 +1617,6 @@ CCE-87518-7
+ CCE-87519-5
+ CCE-87520-3
+ CCE-87521-1
+-CCE-87522-9
+ CCE-87523-7
+ CCE-87525-2
+ CCE-87526-0
+@@ -1812,7 +1810,6 @@ CCE-87717-5
+ CCE-87718-3
+ CCE-87719-1
+ CCE-87720-9
+-CCE-87721-7
+ CCE-87722-5
+ CCE-87723-3
+ CCE-87724-1
+@@ -1994,7 +1991,6 @@ CCE-87903-1
+ CCE-87904-9
+ CCE-87905-6
+ CCE-87906-4
+-CCE-87907-2
+ CCE-87908-0
+ CCE-87909-8
+ CCE-87910-6
+@@ -3932,7 +3928,6 @@ CCE-89874-2
+ CCE-89875-9
+ CCE-89877-5
+ CCE-89878-3
+-CCE-89879-1
+ CCE-89880-9
+ CCE-89881-7
+ CCE-89882-5
+@@ -4135,7 +4130,6 @@ CCE-90081-1
+ CCE-90082-9
+ CCE-90083-7
+ CCE-90084-5
+-CCE-90085-2
+ CCE-90086-0
+ CCE-90087-8
+ CCE-90088-6
+
+From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 4 Aug 2021 16:30:45 +0200
+Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
+
+---
+ .../configure_bashrc_exec_tmux/bash/shared.sh                   | 2 +-
+ .../configure_tmux_lock_after_time/bash/shared.sh               | 2 +-
+ .../configure_tmux_lock_command/bash/shared.sh                  | 2 +-
+ .../console_screen_locking/no_tmux_in_shells/bash/shared.sh     | 2 +-
+ .../software/integrity/fips/enable_fips_mode/bash/shared.sh     | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+index 0c544bfbb82..737d725872d 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
++# platform = multi_platform_all
+ 
+ if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
+     cat >> /etc/bashrc <<'EOF'
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+index 233047afcbc..947e1dd7ee5 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
++# platform = multi_platform_all
+ 
+ tmux_conf="/etc/tmux.conf"
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+index f2430618ab3..0c11c1224e2 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
++# platform = multi_platform_all
+ 
+ tmux_conf="/etc/tmux.conf"
+ 
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+index 45c43e8d374..60e0a7e34c8 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
++# platform = multi_platform_all
+ 
+ if grep -q 'tmux$' /etc/shells ; then
+ 	sed -i '/tmux$/d' /etc/shells
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+index 87476a7b315..c98847ded72 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+@@ -1,3 +1,3 @@
+-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
++# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
+ 
+ fips-mode-setup --enable
+
+From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 4 Aug 2021 17:56:57 +0200
+Subject: [PATCH 3/5] Update the grub config path
+
+RHEL9 and Fedora EFI/legacy grub paths have been unified:
+https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
+
+The location of Ubuntu EFI grub paths has been estimated from
+https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
+
+Location of SLE EFI grub paths has been taken from existing rules
+---
+ .../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
+ .../uefi/grub2_uefi_admin_username/rule.yml   |  2 +-
+ .../uefi/grub2_uefi_password/oval/shared.xml  | 24 +++++++------------
+ .../uefi/grub2_uefi_password/rule.yml         | 10 ++++----
+ .../uefi_no_removeable_media/oval/shared.xml  | 16 ++++---------
+ products/fedora/product.yml                   |  2 ++
+ products/rhel7/product.yml                    |  2 ++
+ products/rhel8/product.yml                    |  2 ++
+ products/rhel9/product.yml                    |  2 ++
+ products/sle12/product.yml                    |  2 ++
+ products/sle15/product.yml                    |  1 +
+ products/ubuntu1604/product.yml               |  1 +
+ products/ubuntu1804/product.yml               |  1 +
+ products/ubuntu2004/product.yml               |  1 +
+ ssg/constants.py                              |  1 +
+ ssg/products.py                               |  4 ++++
+ tests/shared/grub2.sh                         | 10 +++++---
+ 17 files changed, 50 insertions(+), 47 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+index 8545e8ab2c7..7950c15a848 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+@@ -1,26 +1,20 @@
+-{{% if product == "fedora" %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
+-{{% else %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
+-{{% endif %}}
+-
+ <def-group>
+   <definition class="compliance" id="grub2_uefi_admin_username" version="1">
+     {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
+ 
+     <criteria operator="OR">
+-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+-      <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
++      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
++      <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
+     </criteria>
+   </definition>
+ 
+-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
++  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
+     <ind:object object_ref="object_bootloader_uefi_unique_superuser" />
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
+-    <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
++    <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+index 8a98cbdc95f..128d7cc1cb8 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+@@ -20,7 +20,7 @@ description: |-
+     Once the superuser account has been added,
+     update the
+     <tt>grub.cfg</tt> file by running:
+-    <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
++    <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+ 
+ rationale: |-
+     Having a non-default grub superuser username makes password-guessing attacks less effective.
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+index 230aab73139..a67c8ad99bb 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+@@ -1,32 +1,26 @@
+-{{% if product == "fedora" %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
+-{{% else %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
+-{{% endif %}}
+-
+ <def-group>
+   <definition class="compliance" id="grub2_uefi_password" version="1">
+     {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
+ 
+     <criteria operator="OR">
+-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
++      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+       <criteria operator="AND">
+         <criteria comment="check both files to account for procedure change in documenation" operator="OR">
+-          <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+-          <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
++          <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
++          <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+         </criteria>
+-        <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
++        <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+       </criteria>
+     </criteria>
+   </definition>
+ 
+-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
++  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
++  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
+     <ind:object object_ref="object_bootloader_uefi_superuser" />
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
+-    <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
++    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -35,7 +29,7 @@
+     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
+-    <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
++    <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -44,7 +38,7 @@
+     <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
+-    <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
++    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+index cb0d60c3ddf..cc68441e5ad 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+@@ -31,10 +31,8 @@ description: |-
+     <tt>grub.cfg</tt> file by running:
+     {{% if "ubuntu" in product %}}
+     <pre>update-grub</pre>
+-    {{% elif product in ["sle12", "sle15"] %}}
+-    <pre>grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg</pre>
+     {{% else %}}
+-    <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
++    <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+     {{% endif %}}
+ 
+ rationale: |-
+@@ -91,18 +89,18 @@ ocil: |-
+     To verify the boot loader superuser account password has been set,
+     and the password encrypted, run the following command:
+     {{% if product in ["sle12", "sle15"] %}}
+-    <pre>sudo cat /boot/efi/EFI/sles/grub.cfg</pre>
++    <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+     The output should be similar to:
+     <pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
+     {{% elif "ubuntu" in product %}}
+-    <pre>grep -i password /boot/grub/grub.cfg</pre>
++    <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+     The output should contain something similar to:
+     <pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
+     {{% else %}}
+-    <pre>sudo cat /boot/efi/EFI/redhat/user.cfg</pre>
++    <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
+     The output should be similar to:
+     <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+index 72872d907e3..89a9fae86ec 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+@@ -1,27 +1,21 @@
+-{{% if product == "fedora" %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
+-{{% else %}}
+-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
+-{{% endif %}}
+-
+ <def-group>
+   <definition class="compliance" id="uefi_no_removeable_media" version="1">
+     {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
+     <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
+-      <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
++      <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
++      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+     </criteria>
+   </definition>
+ 
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+-  comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
++  comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
+   id="test_uefi_no_removeable_media" version="1">
+   <ind:object object_ref="obj_uefi_no_removeable_media" />
+   <ind:state state_ref="state_uefi_no_removeable_media" />
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
+-    <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
++    <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
+     <ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
+     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -30,5 +24,5 @@
+     <ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
+   </ind:textfilecontent54_state>
+ 
+-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
++  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
+ </def-group>
+diff --git a/products/fedora/product.yml b/products/fedora/product.yml
+index 0cb53c5331e..ea8e98eea78 100644
+--- a/products/fedora/product.yml
++++ b/products/fedora/product.yml
+@@ -10,6 +10,8 @@ pkg_manager: "dnf"
+ 
+ init_system: "systemd"
+ 
++grub2_boot_path: "/boot/grub2"
++
+ dconf_gdm_dir: "distro.d"
+ 
+ cpes_root: "../../shared/applicability"
+diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
+index fb5d17786da..6438797f218 100644
+--- a/products/rhel7/product.yml
++++ b/products/rhel7/product.yml
+@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+ oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - rhel7:
+diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
+index 78c987b2457..f6d2102558d 100644
+--- a/products/rhel8/product.yml
++++ b/products/rhel8/product.yml
+@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+ oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - rhel8:
+diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
+index 4ceb332adf3..6b5a15d5cee 100644
+--- a/products/rhel9/product.yml
++++ b/products/rhel9/product.yml
+@@ -10,6 +10,8 @@ pkg_manager: "dnf"
+ 
+ init_system: "systemd"
+ 
++grub2_boot_path: "/boot/grub2"
++
+ dconf_gdm_dir: "distro.d"
+ 
+ # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
+diff --git a/products/sle12/product.yml b/products/sle12/product.yml
+index d1301a17f91..b9e44e0725c 100644
+--- a/products/sle12/product.yml
++++ b/products/sle12/product.yml
+@@ -12,6 +12,8 @@ pkg_manager: "zypper"
+ pkg_manager_config_file: "/etc/zypp/zypp.conf"
+ oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+ 
++grub2_uefi_boot_path: "/boot/efi/EFI/sles"
++
+ cpes_root: "../../shared/applicability"
+ cpes:
+   - sle12-server:
+diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
+index 827a875d493..36ec98397f6 100644
+--- a/products/ubuntu1604/product.yml
++++ b/products/ubuntu1604/product.yml
+@@ -12,6 +12,7 @@ init_system: "systemd"
+ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
+index 68922441a2a..f1671b8d7dd 100644
+--- a/products/ubuntu1804/product.yml
++++ b/products/ubuntu1804/product.yml
+@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
+ init_system: "systemd"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
+index 15565b6748f..d75624d70a3 100644
+--- a/products/ubuntu2004/product.yml
++++ b/products/ubuntu2004/product.yml
+@@ -12,6 +12,7 @@ init_system: "systemd"
+ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
+ 
+ grub2_boot_path: "/boot/grub"
++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
+ 
+ cpes_root: "../../shared/applicability"
+ cpes:
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 666d7a4d3c8..f9c978a22a2 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -383,4 +383,5 @@
+ # Application constants
+ DEFAULT_UID_MIN = 1000
+ DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
++DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
+ DEFAULT_DCONF_GDM_DIR = 'gdm.d'
+diff --git a/ssg/products.py b/ssg/products.py
+index 25178b741b2..fb55f5c2f4b 100644
+--- a/ssg/products.py
++++ b/ssg/products.py
+@@ -9,6 +9,7 @@
+ from .constants import (product_directories,
+                         DEFAULT_UID_MIN,
+                         DEFAULT_GRUB2_BOOT_PATH,
++                        DEFAULT_GRUB2_UEFI_BOOT_PATH,
+                         DEFAULT_DCONF_GDM_DIR,
+                         PKG_MANAGER_TO_SYSTEM,
+                         PKG_MANAGER_TO_CONFIG_FILE,
+@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
+     if "grub2_boot_path" not in existing_properties:
+         result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ 
++    if "grub2_uefi_boot_path" not in existing_properties:
++        result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
++
+     if "dconf_gdm_dir" not in existing_properties:
+         result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
+ 
+diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
+index bce7683a7c1..f024b3766cf 100644
+--- a/tests/shared/grub2.sh
++++ b/tests/shared/grub2.sh
+@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
+ 
+ function set_grub_uefi_root {
+ 	if grep NAME /etc/os-release | grep -iq fedora; then
+-		GRUB_CFG_ROOT=/boot/efi/EFI/fedora
+-	else
+-		GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++		GRUB_CFG_ROOT=/boot/grub2
++	elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
++		if grep VERSION /etc/os-release | grep -q '9\.0'; then
++			GRUB_CFG_ROOT=/boot/grub2
++		else
++			GRUB_CFG_ROOT=/boot/efi/EFI/redhat
++		fi
+ 	fi
+ }
+ 
+
+From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 5 Aug 2021 17:59:39 +0200
+Subject: [PATCH 4/5] Add the sshd directory configuration rule
+
+Remediations of other sshd rules assumes that sshd is configured using
+multiple files as opposed to one huge file, and this rule
+makes sure that the assumption is guarded.
+---
+ controls/anssi.yml                      | 3 +++
+ products/rhel9/profiles/cis.profile     | 2 ++
+ products/rhel9/profiles/cjis.profile    | 1 +
+ products/rhel9/profiles/e8.profile      | 1 +
+ products/rhel9/profiles/hipaa.profile   | 1 +
+ products/rhel9/profiles/ism_o.profile   | 1 +
+ products/rhel9/profiles/ospp.profile    | 1 +
+ products/rhel9/profiles/pci-dss.profile | 1 +
+ products/rhel9/profiles/rht-ccp.profile | 1 +
+ 9 files changed, 12 insertions(+)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 7737e67ea51..eee79cf1ef7 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -384,6 +384,9 @@ controls:
+     - package_sudo_installed
+     - audit_rules_privileged_commands_sudo
+ 
++    # This rule should be present in the profile at least once
++    - sshd_use_directory_configuration
++
+   - id: R20
+     levels:
+     - enhanced
+diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
+index 622f88e3766..8d7816e5e2d 100644
+--- a/products/rhel9/profiles/cis.profile
++++ b/products/rhel9/profiles/cis.profile
+@@ -791,6 +791,8 @@ selections:
+     - file_permissions_sshd_pub_key
+     # TO DO: check owner of pub keys in /etc/ssh is root:root
+ 
++    # Ensure that the configuration is done the right way
++    - sshd_use_directory_configuration
+     ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+     - sshd_set_loglevel_info
+ 
+diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
+index b45ba19d84f..0aaf7cb0206 100644
+--- a/products/rhel9/profiles/cjis.profile
++++ b/products/rhel9/profiles/cjis.profile
+@@ -98,6 +98,7 @@ selections:
+     - dconf_gnome_screensaver_idle_activation_enabled
+     - dconf_gnome_screensaver_lock_enabled
+     - dconf_gnome_screensaver_mode_blank
++    - sshd_use_directory_configuration
+     - sshd_allow_only_protocol2
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
+index 6d87a778eee..3851255ccec 100644
+--- a/products/rhel9/profiles/e8.profile
++++ b/products/rhel9/profiles/e8.profile
+@@ -126,6 +126,7 @@ selections:
+   - audit_rules_kernel_module_loading
+ 
+   ### Secure access
++  - sshd_use_directory_configuration
+   - sshd_disable_root_login
+   - sshd_disable_gssapi_auth
+   - sshd_print_last_log
+diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
+index 797c62708e2..d1dc18ba33c 100644
+--- a/products/rhel9/profiles/hipaa.profile
++++ b/products/rhel9/profiles/hipaa.profile
+@@ -39,6 +39,7 @@ selections:
+     - dconf_db_up_to_date
+     - dconf_gnome_remote_access_credential_prompt
+     - dconf_gnome_remote_access_encryption
++    - sshd_use_directory_configuration
+     - sshd_disable_empty_passwords
+     - sshd_disable_root_login
+     - libreswan_approved_tunnels
+diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
+index 82e863ad3d3..6fc919da128 100644
+--- a/products/rhel9/profiles/ism_o.profile
++++ b/products/rhel9/profiles/ism_o.profile
+@@ -56,6 +56,7 @@ selections:
+   ## Authentication hardening
+   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
+   ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
++  - sshd_use_directory_configuration
+   - sshd_max_auth_tries_value=5
+   - disable_host_auth
+   - require_emergency_target_auth
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index adec0cbd774..08ffcccd9e2 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -58,6 +58,7 @@ selections:
+ 
+     ### Services
+     # sshd
++    - sshd_use_directory_configuration
+     - sshd_disable_root_login
+     - sshd_enable_strictmodes
+     - disable_host_auth
+diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
+index 1fe85d39ae0..bd16dc97721 100644
+--- a/products/rhel9/profiles/pci-dss.profile
++++ b/products/rhel9/profiles/pci-dss.profile
+@@ -105,6 +105,7 @@ selections:
+     - dconf_gnome_screensaver_idle_activation_enabled
+     - dconf_gnome_screensaver_lock_enabled
+     - dconf_gnome_screensaver_mode_blank
++    - sshd_use_directory_configuration
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+     - accounts_password_pam_minlen
+diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
+index e1d9a70b493..8576975aa54 100644
+--- a/products/rhel9/profiles/rht-ccp.profile
++++ b/products/rhel9/profiles/rht-ccp.profile
+@@ -87,6 +87,7 @@ selections:
+     - service_telnet_disabled
+     - package_telnet-server_removed
+     - package_telnet_removed
++    - sshd_use_directory_configuration
+     - sshd_allow_only_protocol2
+     - sshd_set_idle_timeout
+     - var_sshd_set_keepalive=0
+
+From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Wed, 11 Aug 2021 16:43:00 +0200
+Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
+
+Packages dnf-plugin-subscription-manager and subscription-manager are
+merged to subscription-manager in RHEL9 - see
+https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
+---
+ .../rule.yml                                             | 3 +--
+ .../package_subscription-manager_installed/rule.yml      | 9 ++++++++-
+ products/rhel9/profiles/ospp.profile                     | 1 -
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+index 4f49b3b825d..8b6577226fb 100644
+--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel8,rhel9
++prodtype: rhel8
+ 
+ title: 'Install dnf-plugin-subscription-manager Package'
+ 
+@@ -17,7 +17,6 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel8: CCE-82315-3
+-    cce@rhel9: CCE-89879-1
+ 
+ references:
+     ism: 0940,1144,1467,1472,1483,1493,1494,1495
+diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+index b90a7588270..32e5ce9a129 100644
+--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+@@ -12,7 +12,14 @@ rationale: |-
+     and subscriptions on a local system to help manage subscription assignments.
+     It communicates with the backend subscription service (the Customer Portal
+     or an on-premise server such as Subscription Asset Manager) and works with
+-    content management tools such as yum.
++    content management tools such as {{{ package_manager }}}.
++
++    {{% if product in ["rhel9"] %}}
++    The package provides, among other things, {{{ package_manager }}} plugins
++    to interact with repositories and subscriptions
++    from the Red Hat entitlement platform - the subscription-manager and
++    product-id plugins.
++    {{% endif %}}
+ 
+ severity: medium
+ 
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 08ffcccd9e2..1b060c7bf07 100644
+--- a/products/rhel9/profiles/ospp.profile
++++ b/products/rhel9/profiles/ospp.profile
+@@ -178,7 +178,6 @@ selections:
+     - package_aide_installed
+     - package_dnf-automatic_installed
+     - package_subscription-manager_installed
+-    - package_dnf-plugin-subscription-manager_installed
+     - package_firewalld_installed
+     - package_openscap-scanner_installed
+     - package_policycoreutils_installed

scap-security-guide.spec

@@ -5,7 +5,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.57
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -15,6 +15,11 @@ BuildArch:	noarch
 Patch0:		scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
 Patch1:		scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
 Patch2:		scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
+Patch3:		scap-security-guide-0.1.58-various_fixes-PR_7335.patch
+Patch4:		scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
+Patch5:		scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
+Patch6:		scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
+Patch7:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -101,6 +106,22 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
+- Use SSHD directory-based configuration.
+  Resolves: rhbz#1962564
+- Introduce ISM kickstarts
+  Resolves: rhbz#1978290
+- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
+  TLDR: Enable remediations by means of platform metadata,
+  enable the RHEL9 GPG rule, introduce the s390x platform,
+  fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
+  address the subscription-manager package merge, and
+  enable and select more rules applicable to RHEL9.
+  Resolves: rhbz#1987227
+  Resolves: rhbz#1987226
+  Resolves: rhbz#1987231
+  Resolves: rhbz#1988289
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688