Updates to RHEL-9.0.0 content

Update sudoers rules in RHEL8 STIG V1R5 Add missing SRG references in RHEL8 STIG V1R5 rules Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives Fix GRUB2 rule template to configure the module correctly on RHEL8 Update GRUB2 rule descriptions Make package_rear_installed not applicable on AARCH64 Resolves: rhbz#2045403 Resolves: rhbz#2014561 Resolves: rhbz#2020623
2022-02-14 19:24:32 +01:00 · 2022-02-14 19:24:32 +01:00 · cd3b90bce2
parent 9887c6a84e
commit cd3b90bce2
8 changed files with 3004 additions and 1 deletions
--- a/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
+++ b/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
@ -0,0 +1,596 @@
+From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 15:25:06 +0100
+Subject: [PATCH 1/9] Add rule to check for default sudoers includedir
+
+This rule supports RHEL-08-010379.
+---
+ .../ansible/shared.yml                        |  7 ++++
+ .../sudoers_default_includedir/bash/shared.sh | 11 ++++++
+ .../oval/shared.xml                           | 23 +++++++++++
+ .../sudo/sudoers_default_includedir/rule.yml  | 38 +++++++++++++++++++
+ .../tests/default_includedir.pass.sh          |  7 ++++
+ .../tests/duplicate_includedir.fail.sh        |  7 ++++
+ .../tests/no_includedir.fail.sh               |  4 ++
+ .../tests/two_includedir.fail.sh              |  8 ++++
+ shared/references/cce-redhat-avail.txt        |  3 --
+ 9 files changed, 105 insertions(+), 3 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+new file mode 100644
+index 00000000000..d9d5933285f
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# # reboot = false
+# # strategy = configure
+# # complexity = low
+# # disruption = low
+
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+new file mode 100644
+index 00000000000..3a9e2da985b
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+
+sudoers_config_file="/etc/sudoers"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+    sed -i "/#includedir.*/d" "$sudoers_config_file"
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+fi
+if [ "$sudoers_includedir_count" -eq 0 ]; then
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+new file mode 100644
+index 00000000000..5618c64291c
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+@@ -0,0 +1,23 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+    <criteria operator="AND">
+      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+      comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
+    <ind:object object_ref="object_sudoers_default_includedir" />
+    <ind:state state_ref="state_sudoers_default_includedir" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
+    <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+new file mode 100644
+index 00000000000..5c33121f911
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -0,0 +1,38 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8,rhel9
+
+title: 'Ensure sudo only includes the default configuration directory'
+
+description: |-
+    Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
+    other directories and configuration files from the file currently being parsed.
+  
+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+    <tt>/etc/sudoers.d</tt>
+    Note that the '#' character doesn't denote a comment in the configuration file.
+
+rationale: |-
+   Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
+   Use of these configuration options makes it easier for one compromised accound to be used to
+   compromise other accounts.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86277-1
+    cce@rhel8: CCE-86377-9
+    cce@rhel9: CCE-86477-7
+
+references:
+    disa: CCI-000366
+    stigid@rhel8: RHEL-08-010379
+
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+ocil: |-
+    To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+    run the following command:
+    <pre>$ sudo grep 'include' /etc/sudoers</pre>
+    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+new file mode 100644
+index 00000000000..ac0c808ccd6
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+new file mode 100644
+index 00000000000..5bad8225625
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# duplicate default entry
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+new file mode 100644
+index 00000000000..1e0ab8aea92
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+new file mode 100644
+index 00000000000..09d14eab630
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure that there are two different indludedirs
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 41caad9f0d0..f2990adb537 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -340,7 +340,6 @@ CCE-86273-0
+ CCE-86274-8
+ CCE-86275-5
+ CCE-86276-3
+-CCE-86277-1
+ CCE-86278-9
+ CCE-86279-7
+ CCE-86281-3
+@@ -428,7 +427,6 @@ CCE-86373-8
+ CCE-86374-6
+ CCE-86375-3
+ CCE-86376-1
+-CCE-86377-9
+ CCE-86378-7
+ CCE-86379-5
+ CCE-86380-3
+@@ -524,7 +522,6 @@ CCE-86473-6
+ CCE-86474-4
+ CCE-86475-1
+ CCE-86476-9
+-CCE-86477-7
+ CCE-86478-5
+ CCE-86479-3
+ CCE-86480-1
+
+From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 16:21:46 +0100
+Subject: [PATCH 2/9] Select rule in RHEL8 STIG
+
+Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5
+---
+ products/rhel8/profiles/stig.profile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index d92bc72971c..e13bda7a787 100644
+--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
+@@ -271,6 +271,9 @@ selections:
+     # RHEL-08-010376
+     - sysctl_kernel_perf_event_paranoid
+ 
+    # RHEL-08-010379
+    - sudoers_default_includedir
+
+     # RHEL-08-010380
+     - sudo_remove_nopasswd
+ 
+
+From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 17:26:59 +0100
+Subject: [PATCH 3/9] Add test and fix for case when the single includedir is
+ wrong
+
+---
+ .../sudo/sudoers_default_includedir/bash/shared.sh         | 7 +++++--
+ .../tests/wrong_includedir.fail.sh                         | 5 +++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 3a9e2da985b..258af02c121 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+ if [ "$sudoers_includedir_count" -gt 1 ]; then
+     sed -i "/#includedir.*/d" "$sudoers_config_file"
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+-fi
+-if [ "$sudoers_includedir_count" -eq 0 ]; then
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
+    fi
+ fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+new file mode 100644
+index 00000000000..55a072adf3c
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
+
+From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 14:50:11 +0100
+Subject: [PATCH 4/9] Add tests for sudo file and dir includes in
+ /etc/sudoers.d
+
+---
+ .../tests/sudoers.d_with_include.fail.sh              |  9 +++++++++
+ .../tests/sudoers.d_with_includedir.fail.sh           |  9 +++++++++
+ .../tests/sudoers_with_include.fail.sh                | 11 +++++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+new file mode 100644
+index 00000000000..554ef2e060d
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+new file mode 100644
+index 00000000000..516b68b5a3e
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+new file mode 100644
+index 00000000000..ad04880e334
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+if ! grep -q "#include " /etc/sudoers; then
+    echo "#include /etc/my-sudoers" >> /etc/sudoers
+fi
+
+From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 14:59:18 +0100
+Subject: [PATCH 5/9] Update rule catch and remove other sudo includes
+
+Any other #include or #includedir besides:
+"/etc/sudoers: #includedir /etc/sudoers.d" should be removed.
+---
+ .../ansible/shared.yml                        | 14 +++++++++++
+ .../sudoers_default_includedir/bash/shared.sh |  7 ++++--
+ .../oval/shared.xml                           | 23 +++++++++++++++++++
+ .../sudo/sudoers_default_includedir/rule.yml  |  7 +++---
+ 4 files changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+index d9d5933285f..175a447e0d9 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -5,3 +5,17 @@
+ # # disruption = low
+ 
+ {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
+  find:
+    path: "/etc/sudoers.d"
+    patterns: "*"
+    contains: '^#include(dir)?\s.*$'
+  register: sudoers_d_includes
+
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
+  lineinfile:
+    path: "{{ item.path }}"
+    regexp: '^#include(dir)?\s.*$'
+    state: absent
+  with_items: "{{ sudoers_d_includes.files }}"
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 258af02c121..2d00b471677 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -1,6 +1,7 @@
+ # platform = multi_platform_all
+ 
+ sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+ if [ "$sudoers_includedir_count" -gt 1 ]; then
+     sed -i "/#includedir.*/d" "$sudoers_config_file"
+@@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then
+ elif [ "$sudoers_includedir_count" -eq 0 ]; then
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+ else
+-    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
+-        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
+    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+     fi
+ fi
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
+sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+index 5618c64291c..59cab0b89de 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+@@ -3,6 +3,8 @@
+     {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+     <criteria operator="AND">
+       <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+     </criteria>
+   </definition>
+ 
+@@ -20,4 +22,25 @@
+     <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+   </ind:textfilecontent54_state>
+ 
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+      comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
+    <ind:object object_ref="object_sudoers_without_include" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+      comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
+    <ind:object object_ref="object_sudoersd_without_includes" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
+    <ind:path>/etc/sudoers.d/</ind:path>
+    <ind:filename operation="pattern match">.*</ind:filename>
+    <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+ </def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+index 5c33121f911..3a8c22ac8af 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -10,7 +10,7 @@ description: |-
+   
+     Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+     The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+-    <tt>/etc/sudoers.d</tt>
+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+     Note that the '#' character doesn't denote a comment in the configuration file.
+ 
+ rationale: |-
+@@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other
+ ocil: |-
+     To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+     run the following command:
+-    <pre>$ sudo grep 'include' /etc/sudoers</pre>
+-    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
+    <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
+    If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
+    Any other line returned is a finding.
+
+From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 15:00:46 +0100
+Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir
+
+---
+ .../system/software/sudo/sudoers_default_includedir/rule.yml     | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+index 3a8c22ac8af..a97bd3efb2c 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -27,6 +27,7 @@ identifiers:
+ 
+ references:
+     disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-010379
+ 
+ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 16:12:32 +0100
+Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data
+
+---
+ tests/data/profile_stability/rhel8/stig.profile     | 1 +
+ tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index e4fee44f9f9..974b28757e9 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -365,6 +365,7 @@ selections:
+ - sudo_remove_nopasswd
+ - sudo_require_reauthentication
+ - sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
+ - sudoers_validate_passwd
+ - sysctl_crypto_fips_enabled
+ - sysctl_fs_protected_hardlinks
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 83d04775e3a..99e0af4f5a6 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -376,6 +376,7 @@ selections:
+ - sudo_remove_nopasswd
+ - sudo_require_reauthentication
+ - sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
+ - sudoers_validate_passwd
+ - sysctl_crypto_fips_enabled
+ - sysctl_fs_protected_hardlinks
+
+From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 16:59:22 +0100
+Subject: [PATCH 8/9] Fix Ansible remediation metadata
+
+---
+ .../sudo/sudoers_default_includedir/ansible/shared.yml    | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+index 175a447e0d9..0d8c9e75184 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -1,8 +1,8 @@
+ # platform = multi_platform_all
+-# # reboot = false
+-# # strategy = configure
+-# # complexity = low
+-# # disruption = low
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+ 
+ {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+ {{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+
+From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 17:39:39 +0100
+Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist
+
+The remediation skips the directory, and the test scenarios create the
+dir to ensure the test scenario works.
+---
+ .../sudo/sudoers_default_includedir/bash/shared.sh        | 8 ++++++--
+ .../tests/sudoers.d_with_include.fail.sh                  | 1 +
+ .../tests/sudoers.d_with_includedir.fail.sh               | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 2d00b471677..fbff5eb6f30 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -13,5 +13,9 @@ else
+         sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+     fi
+ fi
+-sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
+-sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
+
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
+    sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+index 554ef2e060d..3f14ecc1627 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ # platform = multi_platform_all
+ 
+mkdir -p /etc/sudoers.d
+ # Ensure default config is there
+ if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+     echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+index 516b68b5a3e..89515076ff1 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ # platform = multi_platform_all
+ 
+mkdir -p /etc/sudoers.d
+ # Ensure default config is there
+ if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+     echo "#includedir /etc/sudoers.d" >> /etc/sudoers
--- a/scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
+++ b/scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
@ -0,0 +1,38 @@
+From 8605b236665b1022c7379e87d9445c9ca42e78f3 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 11:41:15 +0100
+Subject: [PATCH] Add SRG references to STIG rules.
+
+Rules accounts_password_pam_pwquality_password_auth and accounts_password_pam_pwquality_system_auth
+were missing SRG required references.
+---
+ .../accounts_password_pam_pwquality_password_auth/rule.yml      | 2 ++
+ .../accounts_password_pam_pwquality_system_auth/rule.yml        | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+index 6c7bb1ad7a0..34dd6e2fcca 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+@@ -22,6 +22,8 @@ identifiers:
+     cce@rhel9: CCE-85878-7
+ 
+ references:
+    disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-020100
+ 
+ ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+index ea42ff9b07a..a5189c61608 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+@@ -22,6 +22,8 @@ identifiers:
+     cce@rhel9: CCE-85873-8
+ 
+ references:
+    disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-020101
+ 
+ ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
--- a/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
+++ b/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
@ -0,0 +1,369 @@
+From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 9 Feb 2022 16:17:52 +0100
+Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
+
+If no time server or pool is configured, there is no entry to add
+maxpoll option to, so the rule should evaluate to pass.
+---
+ .../oval/shared.xml                           | 50 +++++++++++++++----
+ .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml  |  2 +
+ .../tests/chrony_no_pool_nor_servers.pass.sh  | 12 +++++
+ 3 files changed, 54 insertions(+), 10 deletions(-)
+ create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+index 780c2e2d0ba..76f810123f3 100644
+--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+@@ -3,17 +3,25 @@
+     {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
+       to continuously poll the time source servers.") }}}
+     <criteria operator="OR">
+-      <criteria operator="AND">
+-        <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+-        test_ref="test_ntp_set_maxpoll" />
+-        <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+-        test_ref="test_ntp_all_server_has_maxpoll"/>
+      <criteria operator="OR">
+        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+          test_ref="test_ntp_no_server"/>
+        <criteria operator="AND">
+          <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+          test_ref="test_ntp_set_maxpoll" />
+          <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+          test_ref="test_ntp_all_server_has_maxpoll"/>
+        </criteria>
+       </criteria>
+-      <criteria operator="AND">
+-        <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+-        test_ref="test_chrony_set_maxpoll" />
+-        <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+-        test_ref="test_chrony_all_server_has_maxpoll"/>
+      <criteria operator="OR">
+        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
+          test_ref="test_chrony_no_server_nor_pool"/>
+        <criteria operator="AND">
+          <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+          test_ref="test_chrony_set_maxpoll" />
+          <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+          test_ref="test_chrony_all_server_has_maxpoll"/>
+        </criteria>
+       </criteria>
+     </criteria>
+   </definition>
+@@ -77,4 +85,26 @@
+     <ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
+   </ind:textfilecontent54_state>
+ 
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="check if no server entries have server or pool set in /etc/chrony.conf"
+  id="test_chrony_no_server_nor_pool" version="1">
+    <ind:object object_ref="obj_chrony_no_server_nor_pool" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+  id="test_ntp_no_server" version="1">
+    <ind:object object_ref="obj_ntp_no_server_nor_pool" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
+    <ind:filepath>/etc/ntp.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^server.*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+ </def-group>
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+index 20e7467a7b5..c115ad3c115 100644
+--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+@@ -13,6 +13,8 @@ description: |-
+     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+     to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+     should be configured too.
+    If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
+    to pass.
+     {{% if product == "rhcos4" %}}
+     <p>
+     Note that if the remediation shipping with this content is being used, the
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+new file mode 100644
+index 00000000000..bbae20fc696
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = chrony
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+yum remove -y ntp
+
+# Remove all pool and server options
+sed -i "/^pool.*/d" /etc/chrony.conf
+sed -i "/^server.*/d" /etc/chrony.conf
+
+systemctl enable chronyd.service
+
+From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 11 Feb 2022 12:14:30 +0100
+Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
+
+This new rule only asserts that Chrony has at least one time source configured,
+and that it is done with the  'server' directive.
+No remediation is provided for rule, that is left for other specialized
+rules.
+---
+ .../chronyd_server_directive/oval/shared.xml  | 33 +++++++++++++++++++
+ .../ntp/chronyd_server_directive/rule.yml     | 32 ++++++++++++++++++
+ .../tests/file_empty.fail.sh                  |  6 ++++
+ .../tests/file_missing.fail.sh                |  6 ++++
+ .../tests/line_missing.fail.sh                |  7 ++++
+ .../tests/multiple_servers.pass.sh            |  8 +++++
+ .../tests/only_pool.fail.sh                   |  9 +++++
+ .../tests/only_server.pass.sh                 |  6 ++++
+ products/rhel8/profiles/stig.profile          |  1 +
+ products/rhel9/profiles/stig.profile          |  1 +
+ shared/references/cce-redhat-avail.txt        |  2 --
+ .../data/profile_stability/rhel8/stig.profile |  1 +
+ .../profile_stability/rhel8/stig_gui.profile  |  1 +
+ 13 files changed, 111 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+new file mode 100644
+index 00000000000..2244e608047
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+@@ -0,0 +1,33 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
+    <criteria comment="chrony.conf only has server directive">
+      <criterion test_ref="test_chronyd_server_directive_with_server" />
+      <criterion test_ref="test_chronyd_server_directive_no_pool" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+  comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
+  version="1">
+    <ind:object object_ref="object_chronyd_server_directive" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
+  id="object_chronyd_server_directive" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
+  version="1">
+    <ind:object object_ref="object_chronyd_no_pool_directive" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
+  id="object_chronyd_no_pool_directive" version="1">
+    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+new file mode 100644
+index 00000000000..6dc24f1be85
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Ensure Chrony is only configured with the server directive'
+
+description: |-
+    Check that Chrony only has time sources configured with the <tt>server</tt> directive.
+
+rationale: |-
+    Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
+
+severity: medium
+
+platform: chrony
+
+warnings:
+  - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
+
+identifiers:
+    cce@rhel8: CCE-86077-5
+    cce@rhel9: CCE-87077-4
+
+references:
+    disa: CCI-001891
+    srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
+    stigid@rhel8: RHEL-08-030740
+
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
+
+ocil: |-
+    Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
+    <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
+    A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+new file mode 100644
+index 00000000000..d1ba0755198
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "" > /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+new file mode 100644
+index 00000000000..12a50ebc3d2
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+rm -f /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+new file mode 100644
+index 00000000000..bffa8b62b1b
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+echo "some line" > /etc/chrony.conf
+echo "another line" >> /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+new file mode 100644
+index 00000000000..5527f389316
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+@@ -0,0 +1,8 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+new file mode 100644
+index 00000000000..616fe8844fc
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+# remediation = none
+
+sed -i "^server.*" /etc/chrony.conf
+if ! grep "^pool.*" /etc/chrony.conf; then
+    echo "pool 0.pool.ntp.org" > /etc/chrony.conf
+fi
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+new file mode 100644
+index 00000000000..21a70dc4900
+--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# platform = multi_platform_fedora,multi_platform_rhel
+
+sed -i "^pool.*" /etc/chrony.conf
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 36f606ee461..2bd1fb54316 100644
+--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
+@@ -909,6 +909,7 @@ selections:
+     # RHEL-08-030740
+     # remediation fails because default configuration file contains pool instead of server keyword
+     - chronyd_or_ntpd_set_maxpoll
+    - chronyd_server_directive
+ 
+     # RHEL-08-030741
+     - chronyd_client_only
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 374932cfd32..0d4d7b0ff97 100644
+--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
+@@ -909,6 +909,7 @@ selections:
+     # RHEL-08-030740
+     # remediation fails because default configuration file contains pool instead of server keyword
+     - chronyd_or_ntpd_set_maxpoll
+    - chronyd_server_directive
+ 
+     # RHEL-08-030741
+     - chronyd_client_only
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 8c59c5d3201..0081fe1938f 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -152,7 +152,6 @@ CCE-86073-4
+ CCE-86074-2
+ CCE-86075-9
+ CCE-86076-7
+-CCE-86077-5
+ CCE-86078-3
+ CCE-86079-1
+ CCE-86080-9
+@@ -1079,7 +1078,6 @@ CCE-87073-3
+ CCE-87074-1
+ CCE-87075-8
+ CCE-87076-6
+-CCE-87077-4
+ CCE-87078-2
+ CCE-87079-0
+ CCE-87080-8
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 5b06103d72e..7d44f8910d1 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -160,6 +160,7 @@ selections:
+ - chronyd_client_only
+ - chronyd_no_chronyc_network
+ - chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
+ - clean_components_post_updating
+ - configure_bashrc_exec_tmux
+ - configure_bind_crypto_policy
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 11e0ee9515a..91546d1d418 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -171,6 +171,7 @@ selections:
+ - chronyd_client_only
+ - chronyd_no_chronyc_network
+ - chronyd_or_ntpd_set_maxpoll
+- chronyd_server_directive
+ - clean_components_post_updating
+ - configure_bashrc_exec_tmux
+ - configure_bind_crypto_policy
--- a/scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
+++ b/scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
@ -0,0 +1,854 @@
+From 51a826878ade2ebb564405991937ba0e2b2b7717 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 2 Feb 2022 14:25:30 +0100
+Subject: [PATCH 1/8] create two macros
+
+one provides description for grub2_argument templated rules
+the second provides ocil for those cases
+---
+ shared/macros.jinja | 56 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 00358e2f67c..3d41c998b0c 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -1620,3 +1620,59 @@ The audit daemon must be restarted for the changes to take effect.
+ - no_ovirt
+ {{%- endif %}}
+ {{% endmacro %}}
+
+{{#
+    Describe how to configure Grub2 to add an argument to the default kernel command line.
+    The parameter should be in form `parameter=value`.
+#}}
+{{%- macro describe_grub2_argument(arg_name_value) -%}}
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
+argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
+default Grub2 command line for Linux operating systems.  Modify the line within
+<tt>/etc/default/grub</tt> as shown below:
+<pre>GRUB_CMDLINE_LINUX="... {{{ arg_name_value }}} ..."</pre>
+Run the following command to update command line for already installed kernels:
+{{%- if 'ubuntu' in product -%}}
+<pre># update-grub</pre>
+{{%- else -%}}
+<pre># grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"</pre>
+{{%- endif -%}}
+{{%- else -%}}
+Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
+<pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
+{{%- endif -%}}
+{{%- endmacro -%}}
+
+{{#
+    Provide OCIL for checking if an argument for kernel command line is configured with Grub2.
+    The parameter should have form `parameter=value`.
+#}}
+{{%- macro ocil_grub2_argument(arg_name_value) -%}}
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+Inspect the form of default GRUB 2 command line for the Linux operating system
+in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
+then auditinng will be enabled for newly installed kernels.
+First check if the GRUB recovery is enabled:
+<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+If this option is set to true, then check that a line is output by the following command:
+<pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>
+If the recovery is disabled, check the line with
+<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
+{{%- if 'ubuntu' in product -%}}
+Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
+This command should not return any output.
+{{%- else -%}}
+Moreover, command line parameters for currently installed kernels should be checked as well.
+Run the following command:
+<pre># grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'</pre>
+The command should not return any output.
+{{%- endif -%}}
+{{%- else -%}}
+Inspect the form of default GRUB 2 command line for the Linux operating system
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
+is enabled at boot time.
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+{{%- endif -%}}
+{{%- endmacro -%}}
+
+From c8cb579db19bd55eebcb0bdc4b1432368a5c1b77 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 2 Feb 2022 14:26:26 +0100
+Subject: [PATCH 2/8] use new macros in grub2_audit_argument
+
+---
+ .../auditing/grub2_audit_argument/rule.yml    | 45 ++-----------------
+ 1 file changed, 3 insertions(+), 42 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index 96dbe67699e..aff0521ee73 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -7,15 +7,8 @@ title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
+ description: |-
+     To ensure all processes can be audited, even those which start
+     prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-{{% if product in ["rhel7", "ol7"] %}}
+-    <tt>/etc/default/grub</tt>, so that the line looks similar to
+-    <pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
+-    In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+-{{% else %}}
+-    <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
+-    <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
+-{{% endif %}}
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("audit=1") | indent(4) }}}
+ 
+ rationale: |-
+     Each process on the system carries an "auditable" flag which indicates whether
+@@ -59,39 +52,7 @@ references:
+ ocil_clause: 'auditing is not enabled at boot time'
+ 
+ ocil: |-
+-{{% if product in ["rhel7", "ol7", "sle12","sle15"] %}}
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    First check if the GRUB recovery is enabled:
+-    <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+-    If this option is set to true, then check that a line is output by the following command:
+-    <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub</pre>
+-    If the recovery is disabled, check the line with
+-    <pre>$ grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub</pre>.
+-    Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+-    <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'audit=1'</pre>
+-    This command should not return any output. If it does, update the configuration with
+-    <pre># grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    <br /><br />
+-    Alternatively, to ensure <tt>audit=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"</pre>
+-    <br />
+-{{% else %}}
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    <pre># grep 'kernelopts.*audit=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    <br /><br />
+-    To ensure <tt>audit=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
+-    <br />
+-{{% endif %}}
+-
+    {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+
+From 3ff2c245408d3fe892222eee8171e2f84868f705 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 3 Feb 2022 14:25:34 +0100
+Subject: [PATCH 3/8] fix omission  in ocil jinja macro
+
+---
+ shared/macros.jinja | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 3d41c998b0c..16a0404b668 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -1652,7 +1652,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
+ {{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
+-then auditinng will be enabled for newly installed kernels.
+then the parameter will be configured for newly installed kernels.
+ First check if the GRUB recovery is enabled:
+ <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+ If this option is set to true, then check that a line is output by the following command:
+@@ -1671,8 +1671,8 @@ The command should not return any output.
+ {{%- endif -%}}
+ {{%- else -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
+-is enabled at boot time.
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+is configured at boot time.
+ <pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+ {{%- endif -%}}
+ {{%- endmacro -%}}
+
+From 976da69681d03d9b9380fc57216c30c7b4891f50 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 3 Feb 2022 14:26:33 +0100
+Subject: [PATCH 4/8] use new jinja macros in all grub2 related rules
+
+---
+ .../rule.yml                                  | 15 ++-----
+ .../grub2_enable_iommu_force/rule.yml         |  9 +++-
+ .../grub2_init_on_alloc_argument/rule.yml     | 18 ++------
+ .../grub2_kernel_trust_cpu_rng/rule.yml       | 11 ++---
+ .../grub2_pti_argument/rule.yml               | 15 ++-----
+ .../grub2_vsyscall_argument/rule.yml          | 15 ++-----
+ .../grub2_ipv6_disable_argument/rule.yml      | 45 ++-----------------
+ .../grub2_page_poison_argument/rule.yml       | 15 ++-----
+ .../grub2_slub_debug_argument/rule.yml        | 15 ++-----
+ 9 files changed, 33 insertions(+), 125 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index f94ddab2fe1..868d525014f 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon'
+ description: |-
+     To improve the kernel capacity to queue all log events, even those which occurred
+     prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"</pre>
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+ rationale: |-
+     audit_backlog_limit sets the queue length for audit events awaiting transfer
+@@ -40,15 +39,7 @@ references:
+ ocil_clause: 'audit backlog limit is not configured'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>audit_backlog_limit=8192</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"</pre>
+-    <br />
+    {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+index 0a0d76aeb23..1ff5a4d5f26 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+@@ -5,9 +5,10 @@ title: 'IOMMU configuration directive'
+ description: |-
+     On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
+         of the system critical units such as the memory.
+    {{{ describe_grub2_argument("iommu=force") | indent(4) }}}
+ 
+ rationale: |-
+-    On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by
+    On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
+         hardware devices.
+ 
+ severity: unknown
+@@ -22,6 +23,12 @@ references:
+ 
+ platform: machine
+ 
+ocil_clause: 'I/OMMU is not activated'
+
+ocil: |-
+    {{{ ocil_grub2_argument("iommu=force") | indent(4) }}}
+
+
+ warnings:
+   - functionality:
+       Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+index a9253c74cc6..3bb645dadb7 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+@@ -6,12 +6,8 @@ title: 'Configure kernel to zero out memory before allocation'
+ 
+ description: |-
+     To configure the kernel to zero out memory before allocating it, add the
+-    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
+-    the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
+-    below:
+-    <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
+-    Update the boot parameter for existing kernels by running the following command:
+-    <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
+    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line.
+    {{{ describe_grub2_argument("init_on_alloc=1") | indent(4) }}}
+ 
+ rationale: |-
+     When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
+@@ -27,15 +23,7 @@ identifiers:
+ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
+ 
+ ocil: |-
+-    Make sure that the kernel is configured to zero out memory before
+-    allocation. Ensure that the parameter is configured in
+-    <tt>/etc/default/grub</tt>:
+-    <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
+-    The output should contain <tt>init_on_alloc=1</tt>.
+-    Run the following command to display command line parameters of all
+-    installed kernels:
+-    <pre># grubby --info=ALL | grep args</pre>
+-    Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
+    {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
+ 
+ platform: machine
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+index 308ae9cb735..d6bfc02f345 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+@@ -11,8 +11,8 @@ description: |-
+     <tt>Y</tt>, make sure that it is not overridden with the boot parameter.
+     There must not exist the boot parameter <tt>random.trust_cpu=off</tt>. If
+     the option is not compiled in, make sure that <tt>random.trust_cpu=on</tt>
+-    is configured as a boot parameter by running the following command:
+-    <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"</pre>
+    is configured as a boot parameter.
+    {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}}
+ 
+ rationale: |-
+     The Linux kernel offers an option which signifies if the kernel should trust
+@@ -44,11 +44,8 @@ ocil: |-
+     option is not overridden through a boot parameter:
+     <pre>sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv</pre>
+     The command should not return any output. If the option is not compiled into
+-    the kernel, check that the option is configured through boot parameter with
+-    the following command:
+-    <pre>sudo grep 'kernelopts.*random\.trust_cpu=on.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    If the command does not return any output, then the boot parameter is
+-    missing.
+    the kernel, check that the option is configured through boot parameter.
+    {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
+ 
+ platform: machine
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+index f4f3fa39510..51b0a284746 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable Kernel Page-Table Isolation (KPTI)'
+ description: |-
+     To enable Kernel page-table isolation,
+     add the argument <tt>pti=on</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="pti=on"</pre>
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("pti=on") | indent(4) }}}
+ 
+ rationale: |-
+     Kernel page-table isolation is a kernel feature that mitigates
+@@ -33,15 +32,7 @@ references:
+ ocil_clause: 'Kernel page-table isolation is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>pti=on</tt>,
+-    then Kernel page-table isolation is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>pti=on</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on</pre>
+-    <br />
+    {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+index 9f38a1c13b9..1b88d13bd3c 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Disable vsyscalls'
+ description: |-
+     To disable use of virtual syscalls,
+     add the argument <tt>vsyscall=none</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="vsyscall=none"</pre>
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+ rationale: |-
+     Virtual Syscalls provide an opportunity of attack for a user who has control
+@@ -33,15 +32,7 @@ references:
+ ocil_clause: 'vsyscalls are enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
+-    then virtyal syscalls are not enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none</pre>
+-    <br />
+    {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+index b8ff66c7d6e..c0fda343a1a 100644
+--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+@@ -7,20 +7,8 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
+ description: |-
+     To disable IPv6 protocol support in the Linux kernel,
+     add the argument <tt>ipv6.disable=1</tt> to the default
+-    GRUB2 command line for the Linux operating system in
+-{{% if product in ["rhel7", "ol7"] %}}
+-    <tt>/etc/default/grub</tt>, so that the line looks similar to
+-    <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
+-    In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+-    Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
+-    <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    or
+-    <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+-{{% else %}}
+-    <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
+-    <pre>sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+-{{% endif %}}
+-
+    GRUB2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+ rationale: |-
+     Any unnecessary network stacks, including IPv6, should be disabled to reduce
+@@ -40,34 +28,7 @@ references:
+ ocil_clause: 'IPv6 is not disabled'
+ 
+ ocil: |-
+-    {{% if product in ["rhel7", "ol7"] %}}
+-    Inspect the form of default GRUB2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
+-    First check if the GRUB recovery is enabled:
+-    <pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+-    If this option is set to true, then check that the following line is output by the following command:
+-    <pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
+-    If the recovery is disabled, check the line with
+-    <pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
+-    Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+-    <pre>sudo grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'ipv6.disable=1'</pre>
+-    This command should not return any output. If it does, update the configuration with one of following commands:
+-    <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    or
+-    <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+-    <br />
+-{{% else %}}
+-    Inspect the form of default GRUB2 command line for the Linux operating system
+-    in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
+-    <pre>sudo grep 'kernelopts.*ipv6.disable=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    <br /><br />
+-    To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+-    <br />
+-{{% endif %}}
+-
+    {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index 3bf592fb4d8..1f4e183d9e7 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable page allocator poisoning'
+ description: |-
+     To enable poisoning of free pages,
+     add the argument <tt>page_poison=1</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="page_poison=1"</pre>
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed pages, so any modification or
+@@ -35,15 +34,7 @@ references:
+ ocil_clause: 'page allocator poisoning is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
+-    then page poisoning is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1</pre>
+-    <br />
+    {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index 9964399650a..bb5dbc6c125 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable SLUB/SLAB allocator poisoning'
+ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     add the argument <tt>slub_debug=P</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="slub_debug=P"</pre>
+    GRUB 2 command line for the Linux operating system.
+    {{{ describe_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed objects, so any modification or
+@@ -35,15 +34,7 @@ references:
+ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
+-    then SLUB/SLAB poisoning is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P</pre>
+-    <br />
+    {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+
+From 5c39cf81d49f0eb5bb73337057fb95356784e5c6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 9 Feb 2022 16:05:59 +0100
+Subject: [PATCH 5/8] fix an error in ubuntu version of macro
+
+---
+ shared/macros.jinja | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 16a0404b668..54d2b299a47 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -1660,7 +1660,7 @@ If this option is set to true, then check that a line is output by the following
+ If the recovery is disabled, check the line with
+ <pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
+ {{%- if 'ubuntu' in product -%}}
+-Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
+ <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
+ This command should not return any output.
+ {{%- else -%}}
+
+From f100d190833d168127715215e788347f806736f3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 9 Feb 2022 16:16:21 +0100
+Subject: [PATCH 6/8] remove warnings from rules
+
+they are no longer relevant, we do not use grub2-mkconfig anymore
+---
+ .../auditing/grub2_audit_argument/rule.yml     | 18 ------------------
+ .../rule.yml                                   | 18 ------------------
+ .../grub2_pti_argument/rule.yml                | 18 ------------------
+ .../grub2_vsyscall_argument/rule.yml           | 18 ------------------
+ .../grub2_ipv6_disable_argument/rule.yml       | 18 ------------------
+ .../grub2_page_poison_argument/rule.yml        | 18 ------------------
+ .../grub2_slub_debug_argument/rule.yml         | 18 ------------------
+ 7 files changed, 126 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index aff0521ee73..00a4ded2738 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -54,24 +54,6 @@ ocil_clause: 'auditing is not enabled at boot time'
+ ocil: |-
+     {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index 868d525014f..efbc3dae1c1 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -41,24 +41,6 @@ ocil_clause: 'audit backlog limit is not configured'
+ ocil: |-
+     {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+index 51b0a284746..52a308e3247 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+@@ -34,24 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel8", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: machine
+ 
+ template:
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+index 1b88d13bd3c..93eb31dad7b 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+@@ -34,24 +34,6 @@ ocil_clause: 'vsyscalls are enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: machine
+ 
+ template:
+diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+index c0fda343a1a..9e1ca48efe0 100644
+--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+@@ -30,24 +30,6 @@ ocil_clause: 'IPv6 is not disabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command:
+-        <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command:
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
+-        <pre>sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index 1f4e183d9e7..1ad6c6b3c44 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -36,24 +36,6 @@ ocil_clause: 'page allocator poisoning is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index bb5dbc6c125..e40f5377c61 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -36,24 +36,6 @@ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+
+From bbc3cc093004efd0457ccb33722a4fb14b0b2fb8 Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Mon, 14 Feb 2022 14:29:15 +0100
+Subject: [PATCH 7/8] Update shared/macros.jinja
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Matěj Týč <matej.tyc@gmail.com>
+---
+ shared/macros.jinja | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 54d2b299a47..392181e2b24 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -1671,7 +1671,12 @@ The command should not return any output.
+ {{%- endif -%}}
+ {{%- else -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}}
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>.
+{{%- else -%}}
+in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
+{{%- endif %}}
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+ is configured at boot time.
+ <pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+ {{%- endif -%}}
+
+From 8121376668b43d21cf0f9700994bc011c3e313d7 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 14 Feb 2022 15:17:33 +0100
+Subject: [PATCH 8/8] more modifications to description and ocil
+
+final touches
+---
+ shared/macros.jinja | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 392181e2b24..a89bac12f53 100644
+--- a/shared/macros.jinja
+++ b/shared/macros.jinja
+@@ -1626,7 +1626,7 @@ The audit daemon must be restarted for the changes to take effect.
+     The parameter should be in form `parameter=value`.
+ #}}
+ {{%- macro describe_grub2_argument(arg_name_value) -%}}
+-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
+ To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
+ argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
+ default Grub2 command line for Linux operating systems.  Modify the line within
+@@ -1649,7 +1649,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
+     The parameter should have form `parameter=value`.
+ #}}
+ {{%- macro ocil_grub2_argument(arg_name_value) -%}}
+-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
+ then the parameter will be configured for newly installed kernels.
+@@ -1660,8 +1660,12 @@ If this option is set to true, then check that a line is output by the following
+ If the recovery is disabled, check the line with
+ <pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
+ {{%- if 'ubuntu' in product -%}}
+-Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
+-<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
+Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found
+either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+is configured at boot time.
+<pre># grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'</pre>
+Fill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.
+ This command should not return any output.
+ {{%- else -%}}
+ Moreover, command line parameters for currently installed kernels should be checked as well.
+@@ -1678,6 +1682,7 @@ in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt>
+ {{%- endif %}}
+ If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+ is configured at boot time.
+-<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION</pre>
+Fill in <tt>GRUBENV_FILE_LOCATION</tt> based on information above.
+ {{%- endif -%}}
+ {{%- endmacro -%}}
--- a/scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
+++ b/scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
@ -0,0 +1,842 @@
+From 1bd88bbdc7ce8b6e2265f323cd3a777ef2240e6b Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Fri, 28 Jan 2022 17:11:56 +0100
+Subject: [PATCH 1/5] Change the grub2 bootloader argument template
+
+- Introduce the concept of product-specific bootloader config
+  properties that determine the check/remediation form.
+- Expand the RHEL8 remediation with a check for update of
+  /etc/default/grub contents.
+- Add a RHEL8 check that looks for kernelopts references in loader entries.
+- Update tests.
+---
+ .../grub2_entries_reference_kernelopts.xml    | 25 +++++
+ .../ansible.template                          | 35 ++++++-
+ .../grub2_bootloader_argument/bash.template   | 48 +++++++--
+ .../grub2_bootloader_argument/oval.template   | 97 +++++++++++++------
+ .../arg_not_there_etcdefaultgrub.fail.sh      |  2 +-
+ ....fail.sh => arg_not_there_grubenv.fail.sh} |  0
+ 6 files changed, 164 insertions(+), 43 deletions(-)
+ create mode 100644 shared/checks/oval/grub2_entries_reference_kernelopts.xml
+ rename shared/templates/grub2_bootloader_argument/tests/{arg_not_there.fail.sh => arg_not_there_grubenv.fail.sh} (100%)
+
+diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+new file mode 100644
+index 00000000000..1aec9fe64d2
+--- /dev/null
+++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="compliance" id="grub2_entries_reference_kernelopts" version="2">
+  {{{ oval_metadata(
+	  "Ensure that grubenv-defined kernel options are referenced in individual boot loader entries",
+	  title="Use $kernelopts in /boot/loader/entries/*.conf",
+	  affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+        <criterion test_ref="test_grub2_entries_reference_kernelopts"
+        comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable." />
+    </criteria>
+  </definition>
+
+    <ind:textfilecontent54_test id="test_grub2_entries_reference_kernelopts"
+                                comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable."
+                                check="all" check_existence="all_exist" version="1">
+      <ind:object object_ref="object_grub2_entries_reference_kernelopts" />
+    </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
+    <ind:path>/boot/loader/entries/</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>                                                                             
+  </ind:textfilecontent54_object>
+</def-group>
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index 58d4fab69fa..de970879c8f 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -4,7 +4,34 @@
+ # complexity = medium
+ # disruption = low
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+{{#
+   See the OVAL template for more comments.
+   Product-specific categorization should be synced across all template content types
+-#}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_kernel_options_in_grubenv = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+
+{{% if product in ["rhel9"] %}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel8"] %}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+{{% set system_with_kernel_options_in_grubenv = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+{{% endif -%}}
+
+{{% if system_with_kernel_options_in_etc_default_grub -%}}
+ - name: Check {{{ ARG_NAME }}} argument exists
+   command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+   failed_when: False
+@@ -27,7 +54,9 @@
+ - name: Update bootloader menu
+   command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ 
+-{{% else %}}
+{{%- endif %}}
+
+{{% if system_with_kernel_options_in_grubenv -%}}
+ 
+ - name: Get current kernel parameters
+   ansible.builtin.shell:
+@@ -50,4 +79,4 @@
+   when:
+     - kernelopts.rc != 0
+ 
+-{{% endif %}}
+{{%- endif %}}
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 631e686897e..817fd1fde23 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -1,6 +1,41 @@
+ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+{{#
+   See the OVAL template for more comments.
+   Product-specific categorization should be synced across all template content types
+-#}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_kernel_options_in_grubenv = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+
+{{% if product in ["rhel9"] %}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel8"] %}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+{{% set system_with_kernel_options_in_grubenv = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+{{% endif -%}}
+
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+{{% endif -%}}
+
+{{% macro update_etc_default_grub(arg_name_value) %}}
+{{% if 'ubuntu' in product %}}
+update-grub
+{{% else %}}
+grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
+{{% endif %}}
+{{% endmacro -%}}
+
+{{% if system_with_kernel_options_in_etc_default_grub %}}
+ {{% if '/' in ARG_NAME %}}
+ {{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
+ {{% elif '/' in ARG_NAME_VALUE %}}
+@@ -14,14 +49,11 @@ else
+ 	# no {{{ ARG_NAME }}}=arg is present, append it
+ 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+ fi
+-
+-{{% if 'ubuntu' in product %}}
+-update-grub
+-{{% else %}}
+-# Correct the form of kernel command line for each installed kernel in the bootloader
+-grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ {{% endif %}}
+-{{% else %}}
+
+{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
+
+{{% if system_with_kernel_options_in_grubenv -%}}
+ # Correct grub2 kernelopts value using grub2-editenv
+ existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
+ if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 3ea8acb2910..24258a3bcbd 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -1,15 +1,53 @@
+{{#-
+  We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
+   - /boot/loader/entries/* may not exist don't exist
+   - If they exist, they can reference variables defined in grubenv, or they can contain literal args
+   - The grub cfg may either use those loader entries, or it can contain literal values as well
+   - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
+-#}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+{{% set system_with_kernel_options_in_grubenv = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+
+{{% if product in ["rhel9"] -%}}
+{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+{{%- endif -%}}
+
+{{% if product in ["rhel8"] -%}}
+{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+{{% set system_with_kernel_options_in_grubenv = true %}}
+{{%- endif -%}}
+
+{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product -%}}
+{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+{{%- endif -%}}
+
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+{{%- endif -%}}
+
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+     <criteria operator="AND">
+-      {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+-        {{% if product in ['rhel9'] %}}
+      {{% if system_with_kernel_options_in_grubenv -%}}
+        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
+      {{%- endif %}}
+      {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
+        <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
+      {{%- endif %}}
+      {{% if system_with_expanded_kernel_options_in_loader_entries -%}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+                      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
+-        {{% else %}}
+      {{%- endif %}}
+      {{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+           comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
+-        {{% endif %}}
+      {{%- endif %}}
+      {{% if system_with_kernel_options_in_etc_default_grub -%}}
+         <criteria operator="OR">
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+           comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
+@@ -20,14 +58,11 @@
+             comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
+           </criteria>
+         </criteria>
+-      {{% else %}}
+-        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
+-      {{% endif %}}
+      {{%- endif %}}
+     </criteria>
+   </definition>
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+{{%- if system_with_kernel_options_in_etc_default_grub %}}
+   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+   comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
+   check="all" check_existence="all_exist" version="1">
+@@ -54,8 +89,25 @@
+     <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+{{%- endif %}}
+
+{{%- if system_with_kernel_options_in_grubenv %}}
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
+    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+  </ind:textfilecontent54_test>
+ 
+-  {{% if product in ["rhel9"] %}}
+  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+  version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
+    <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{%- endif %}}
+
+{{%- if system_with_expanded_kernel_options_in_loader_entries %}}
+     <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+                                 comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
+                                 check="all" check_existence="all_exist" version="1">
+@@ -69,7 +121,9 @@
+     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-  {{% else %}}
+{{%- endif %}}
+
+{{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+   comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
+   check="all" check_existence="all_exist" version="1">
+@@ -87,26 +141,7 @@
+     {{% endif %}}
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-
+-  {{% endif %}}
+-
+-{{% else %}}
+-
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  comment="check forkernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
+-  check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
+-    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+-  </ind:textfilecontent54_test>
+-
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
+-    <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
+-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-  </ind:textfilecontent54_object>
+-
+-{{% endif %}}
+{{%- endif %}}
+ 
+   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+   version="1">
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+index a56e6d09235..a270be45952 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+ 
+ # Removes argument from kernel command line in /etc/default/grub
+ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"'  '/etc/default/grub' ; then
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
+similarity index 100%
+rename from shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
+rename to shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
+
+From 0d10bf751d5e1d7f024cd7301f8b02b38c0e3b9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Wed, 9 Feb 2022 11:19:06 +0100
+Subject: [PATCH 2/5] Change the default product setting
+
+Assume that every product stores kernel opts in the /etc/default/grub
+---
+ shared/templates/grub2_bootloader_argument/ansible.template | 6 +-----
+ shared/templates/grub2_bootloader_argument/bash.template    | 6 +-----
+ shared/templates/grub2_bootloader_argument/oval.template    | 6 +-----
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index de970879c8f..46de9b465c2 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -11,7 +11,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] %}}
+@@ -27,10 +27,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{% endif -%}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{% endif -%}}
+-
+ {{% if system_with_kernel_options_in_etc_default_grub -%}}
+ - name: Check {{{ ARG_NAME }}} argument exists
+   command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 817fd1fde23..b188d1e3689 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -7,7 +7,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] %}}
+@@ -23,10 +23,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{% endif -%}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{% endif -%}}
+-
+ {{% macro update_etc_default_grub(arg_name_value) %}}
+ {{% if 'ubuntu' in product %}}
+ update-grub
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 24258a3bcbd..88fa7b7a3ee 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -8,7 +8,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
+{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] -%}}
+@@ -24,10 +24,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{%- endif -%}}
+ 
+-{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{%- endif -%}}
+-
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+
+From fac0aeb351d7acab1112482d11a0be73df662496 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 11 Feb 2022 14:55:53 +0100
+Subject: [PATCH 3/5] Improve the template further
+
+- Fix the $kernelopts regex - $ is not a word char.
+- Use grubby exclusively on RHEL systems and structure remediations differently than OVAL checks
+- Exclude the rescue.conf loader entry from checks, as it is not a boot entry for general use.
+---
+ .../grub2_entries_reference_kernelopts.xml    |  2 +-
+ .../ansible.template                          | 72 +------------------
+ .../grub2_bootloader_argument/bash.template   | 67 +++++------------
+ .../grub2_bootloader_argument/oval.template   |  7 +-
+ .../tests/invalid_rescue.pass.sh              |  6 ++
+ tests/test_rule_in_container.sh               |  2 +-
+ 6 files changed, 33 insertions(+), 123 deletions(-)
+ create mode 100644 shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+
+diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+index 1aec9fe64d2..30f3965a037 100644
+--- a/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+@@ -19,7 +19,7 @@
+   <ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
+     <ind:path>/boot/loader/entries/</ind:path>
+     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+-    <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^options(?:\s+.*)?\s+\$kernelopts\b.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>                                                                             
+   </ind:textfilecontent54_object>
+ </def-group>
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index 46de9b465c2..db3b4430d4b 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
+++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -4,75 +4,5 @@
+ # complexity = medium
+ # disruption = low
+ 
+-{{#
+-   See the OVAL template for more comments.
+-   Product-specific categorization should be synced across all template content types
+--#}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+-
+-{{% if product in ["rhel9"] %}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel8"] %}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+-{{% set system_with_kernel_options_in_grubenv = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+-{{% endif -%}}
+-
+-{{% if system_with_kernel_options_in_etc_default_grub -%}}
+-- name: Check {{{ ARG_NAME }}} argument exists
+-  command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+-  failed_when: False
+-  register: argcheck
+-
+-- name: Replace existing {{{ ARG_NAME }}} argument
+-  replace:
+-      path: /etc/default/grub
+-      regexp: '{{{ ARG_NAME }}}=\w+'
+-      replace: '{{{ ARG_NAME_VALUE }}}'
+-  when: argcheck.rc == 0
+-
+-- name: Add {{{ ARG_NAME }}} argument
+-  replace:
+-      path: /etc/default/grub
+-      regexp: '(GRUB_CMDLINE_LINUX=.*)"'
+-      replace: '\1 {{{ ARG_NAME_VALUE }}}"'
+-  when: argcheck.rc != 0
+-
+-- name: Update bootloader menu
+- name: Update grub defaults and the bootloader menu
+   command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+-
+-{{%- endif %}}
+-
+-{{% if system_with_kernel_options_in_grubenv -%}}
+-
+-- name: Get current kernel parameters
+-  ansible.builtin.shell:
+-    cmd: '/usr/bin/grub2-editenv - list | grep "kernelopts="'
+-  register: kernelopts
+-  ignore_errors: yes
+-  changed_when: False
+-
+-- name: Update the bootloader menu
+-  command: /usr/bin/grub2-editenv - set "{{ item }} {{{ ARG_NAME_VALUE }}}"
+-  with_items: "{{ kernelopts.stdout_lines | select('match', '^kernelopts.*') | list }}"
+-  when:
+-    - kernelopts.rc == 0
+-    - kernelopts.stdout_lines is defined
+-    - kernelopts.stdout_lines | length > 0
+-    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?{{{ ARG_NAME_VALUE }}}(?:\s.*)?$', multiline=True) is none
+-
+-- name: Update the bootloader menu when there are no entries previously set
+-  command: /usr/bin/grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
+-  when:
+-    - kernelopts.rc != 0
+-
+-{{%- endif %}}
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index b188d1e3689..5f97efd498f 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -4,59 +4,28 @@
+    Product-specific categorization should be synced across all template content types
+ -#}}
+ 
+-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+{{% set grub_helper_executable = "grubby" -%}}
+{{% set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ ARG_NAME_VALUE] -%}}
+ 
+-{{% if product in ["rhel9"] %}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel8"] %}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+-{{% set system_with_kernel_options_in_grubenv = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+-{{% endif -%}}
+-
+-{{% macro update_etc_default_grub(arg_name_value) %}}
+-{{% if 'ubuntu' in product %}}
+-update-grub
+-{{% else %}}
+-grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
+-{{% endif %}}
+-{{% endmacro -%}}
+-
+-{{% if system_with_kernel_options_in_etc_default_grub %}}
+-{{% if '/' in ARG_NAME %}}
+-{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
+-{{% elif '/' in ARG_NAME_VALUE %}}
+-{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
+-{{% endif %}}
+{{%- macro update_etc_default_grub_manually() -%}}
+ # Correct the form of default kernel command line in GRUB
+ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
+-	# modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
+-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
+       # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
+       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
+ else
+-	# no {{{ ARG_NAME }}}=arg is present, append it
+-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+       # no {{{ ARG_NAME }}}=arg is present, append it
+       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+ fi
+-{{% endif %}}
+{{%- endmacro %}}
+
+{{% if 'ubuntu' in product %}}
+{{{ update_etc_default_grub_manually() }}}
+{{% set grub_helper_executable = "update-grub" -%}}
+{{% endif -%}}
+ 
+-{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
+{{% if product in ["rhel8", "ol8"] %}}
+{{# Suppress the None output of append -#}}
+{{{ grub_helper_args.append("--env=/boot/grub2/grubenv") or "" -}}}
+{{% endif -%}}
+ 
+-{{% if system_with_kernel_options_in_grubenv -%}}
+-# Correct grub2 kernelopts value using grub2-editenv
+-existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
+-if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
+-  if test -n "$existing_kernelopts"; then
+-    grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
+-  else
+-    grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
+-  fi
+-fi
+-{{% endif %}}
+{{{ grub_helper_executable }}} {{{ " ".join(grub_helper_args) }}}
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 88fa7b7a3ee..6981cc14045 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -1,6 +1,6 @@
+ {{#-
+   We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
+-   - /boot/loader/entries/* may not exist don't exist
+   - /boot/loader/entries/* may not exist.
+    - If they exist, they can reference variables defined in grubenv, or they can contain literal args
+    - The grub cfg may either use those loader entries, or it can contain literal values as well
+    - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
+@@ -116,7 +116,12 @@
+     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_grub2_rescue_entry_for_{{{ _RULE_ID }}}</filter>
+   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
+    <ind:filename>rescue.conf</ind:filename>
+  </ind:textfilecontent54_state>
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+new file mode 100644
+index 00000000000..ee6e2c67f34
+--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+@@ -0,0 +1,6 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
+# packages = grub2,grubby
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
+echo "I am an invalid boot entry, but nobody should care, because I am rescue" > /boot/loader/entries/trololol-rescue.conf
+diff --git a/tests/test_rule_in_container.sh b/tests/test_rule_in_container.sh
+index 395fc4e856c..a8691ca7463 100755
+--- a/tests/test_rule_in_container.sh
+++ b/tests/test_rule_in_container.sh
+@@ -221,7 +221,7 @@ additional_args=()
+ test "$_arg_dontclean" = on && additional_args+=(--dontclean)
+ 
+ # Don't act on the default value.
+-test -n "$_arg_scenarios" && additional_args+=(--scenario "'$_arg_scenarios'")
+test -n "$_arg_scenarios" && additional_args+=(--scenario "$_arg_scenarios")
+ 
+ test -n "$_arg_datastream" && additional_args+=(--datastream "$_arg_datastream")
+ 
+
+From 8dda6030dea885c7c7e7e8f1024f5f2edf5bc36c Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 14 Feb 2022 13:45:09 +0100
+Subject: [PATCH 4/5] Add support for checks of both BIOS/UEFI systems
+
+---
+ .../grub2_bootloader_argument/oval.template   | 57 +++++++++++++++----
+ 1 file changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 6981cc14045..71367465663 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -10,6 +10,7 @@
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+ {{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+{{% set system_with_bios_and_uefi_support = false -%}}
+ 
+ {{% if product in ["rhel9"] -%}}
+ {{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+@@ -24,13 +25,25 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{%- endif -%}}
+ 
+{{% if grub2_uefi_boot_path and grub2_uefi_boot_path != grub2_boot_path -%}}
+{{% set system_with_bios_and_uefi_support = true %}}
+{{%- endif -%}}
+
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+     <criteria operator="AND">
+       {{% if system_with_kernel_options_in_grubenv -%}}
+      {{% if system_with_bios_and_uefi_support -%}}
+      <criteria operator="OR">
+      {{%- endif %}}
+         <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+         comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
+      {{% if system_with_bios_and_uefi_support -%}}
+        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env_uefi"
+        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_uefi_boot_path }}}/grubenv" />
+      </criteria>
+      {{%- endif %}}
+       {{%- endif %}}
+       {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
+         <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
+@@ -40,8 +53,16 @@
+                      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
+       {{%- endif %}}
+       {{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
+          {{% if system_with_bios_and_uefi_support -%}}
+          <criteria operator="OR">
+          {{%- endif %}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+           comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
+          {{% if system_with_bios_and_uefi_support -%}}
+          <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg_uefi"
+          comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_uefi_boot_path }}}/grub.cfg for all kernels" />
+          </criteria>
+          {{%- endif %}}
+       {{%- endif %}}
+       {{% if system_with_kernel_options_in_etc_default_grub -%}}
+         <criteria operator="OR">
+@@ -88,19 +109,26 @@
+ {{%- endif %}}
+ 
+ {{%- if system_with_kernel_options_in_grubenv %}}
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
+{{%- macro test_and_object_for_kernel_options_grub_env(base_name, path) %}}
+  <ind:textfilecontent54_test id="test_{{{ base_name }}}"
+  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
+   check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
+    <ind:object object_ref="object_{{{ base_name }}}" />
+     <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+  <ind:textfilecontent54_object id="object_{{{ base_name }}}"
+   version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
+    <ind:filepath>{{{ path }}}</ind:filepath>
+     <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+{{%- endmacro %}}
+
+{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env", grub2_boot_path ~ "/grubenv") }}}
+{{% if system_with_bios_and_uefi_support -%}}
+{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env_uefi", grub2_uefi_boot_path ~ "/grubenv") }}}
+{{%- endif %}}
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_loader_entries %}}
+@@ -120,21 +148,22 @@
+   </ind:textfilecontent54_object>
+ 
+   <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
+-    <ind:filename>rescue.conf</ind:filename>
+    <ind:filename operation="pattern match">.*rescue.conf$</ind:filename>
+   </ind:textfilecontent54_state>
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+-  comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
+{{%- macro test_and_object_for_kernel_options_grub_cfg(base_name, path) %}}
+  <ind:textfilecontent54_test id="test_{{{ base_name }}}"
+  comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
+   check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg" />
+    <ind:object object_ref="object_{{{ base_name }}}" />
+     <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+  <ind:textfilecontent54_object id="object_{{{ base_name }}}"
+   version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:filepath>{{{ path }}}</ind:filepath>
+     {{% if product in ["rhel7"] or 'ubuntu' in product %}}
+       <ind:pattern operation="pattern match">^.*/vmlinuz.*(root=.*)$</ind:pattern>
+     {{% else %}}
+@@ -142,6 +171,12 @@
+     {{% endif %}}
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+{{%- endmacro %}}
+
+{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg", grub2_boot_path ~ "/grub.cfg") }}}
+{{% if system_with_bios_and_uefi_support -%}}
+{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg_uefi", grub2_uefi_boot_path ~ "/grub.cfg") }}}
+{{%- endif %}}
+ {{%- endif %}}
+ 
+   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+
+From df44b5d7017328d05c0671397edcfed019a2a448 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 14 Feb 2022 14:49:34 +0100
+Subject: [PATCH 5/5] Correct test scenario metadata
+
+- Grubenv doesn't relate to anything else than RHEL8
+- The grubby remediation has different behavior in corner-cases
+  that are technically unsupported, so the corresponding test scenario has been dropped.
+---
+ .../grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh      | 1 +
+ .../auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+index 5af2acc317e..956c8ac79fd 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ 
+ # platform = Red Hat Enterprise Linux 8
+# remediation = none
+ 
+ # Removes audit argument from kernel command line in /boot/grub2/grubenv
+ file="/boot/grub2/grubenv"
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
+index 0ec9a1d6e38..9823b08dff9 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
+@@ -1,4 +1,4 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Red Hat Enterprise Linux 8
+ 
+ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
--- a/scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
+++ b/scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
@ -0,0 +1,126 @@
+From 622558873703704bd97fde1874a9a782d4cb8b0e Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 17:51:50 +0100
+Subject: [PATCH] Introduce CPE for aarch64 and make package_rear_installed n/a
+ aarch64.
+
+This rule is not applicable for RHEL9 only.
+---
+ .../package_rear_installed/rule.yml           |  4 +++
+ shared/applicability/arch.yml                 | 12 +++++++
+ ...proc_sys_kernel_osrelease_arch_aarch64.xml | 33 +++++++++++++++++++
+ ..._sys_kernel_osrelease_arch_not_aarch64.xml | 16 +++++++++
+ ssg/constants.py                              |  2 ++
+ 5 files changed, 67 insertions(+)
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+
+diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+index 6e3c11e5749..efb591654a9 100644
+--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+@@ -25,6 +25,10 @@ ocil: '{{{ ocil_package(package="rear") }}}'
+ # The package is not available for s309x on RHEL<8.5
+ # platform: not_s390x_arch
+ 
+{{%- if product == "rhel9" %}}
+platform: not_aarch64_arch
+{{%- endif %}}
+
+ template:
+     name: package_installed
+     vars:
+diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
+index d2cbd102310..9ac05317a95 100644
+--- a/shared/applicability/arch.yml
+++ b/shared/applicability/arch.yml
+@@ -12,3 +12,15 @@ cpes:
+       check_id: proc_sys_kernel_osrelease_arch_s390x
+       bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
+ 
+  - not_aarch64_arch:
+      name: "cpe:/a:not_aarch64_arch"
+      title: "System architecture is not AARCH64"
+      check_id: proc_sys_kernel_osrelease_arch_not_aarch64
+      bash_conditional: "! grep -q aarch64 /proc/sys/kernel/osrelease"
+
+  - aarch64_arch:
+      name: "cpe:/a:aarch64_arch"
+      title: "System architecture is AARCH64"
+      check_id: proc_sys_kernel_osrelease_arch_aarch64
+      bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
+
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+new file mode 100644
+index 00000000000..3d54f81e6d4
+--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+@@ -0,0 +1,33 @@
+<def-group>
+  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
+  version="1">
+    <metadata>
+      <title>Test that the architecture is aarch64</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Architecture is aarch64"
+      test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+      comment="proc_sys_kernel is for aarch64 architecture"
+      id="test_proc_sys_kernel_osrelease_arch_aarch64"
+  version="1">
+    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
+    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
+    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+new file mode 100644
+index 00000000000..3fce66ee00a
+--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+@@ -0,0 +1,16 @@
+<def-group>
+  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_not_aarch64"
+  version="1">
+    <metadata>
+      <title>Test for different architecture than aarch64</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</description>
+    </metadata>
+    <criteria>
+      <extend_definition comment="Architecture is not aarch64"
+      definition_ref="proc_sys_kernel_osrelease_arch_aarch64" negate="true"/>
+    </criteria>
+  </definition>
+</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 64d7d36c989..92cc2f8de34 100644
+--- a/ssg/constants.py
+++ b/ssg/constants.py
+@@ -424,6 +424,8 @@
+   "non-uefi": None,
+   "not_s390x_arch": None,
+   "s390x_arch": None,
+  "not_aarch64_arch": None,
+  "aarch64_arch": None,
+   "ovirt": None,
+   "no_ovirt": None,
+ }
--- a/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
+++ b/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
@ -0,0 +1,163 @@
+From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 15:54:37 +0100
+Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
+
+This configuration must appear at only one place so it doesn't get
+overriden by a different file that can loaded on a different order and
+the intended configuration is replaced by non-compliant value.
+---
+ .../ansible/shared.yml                        | 36 ++++++++++++++++++
+ .../bash/shared.sh                            | 38 +++++++++++++++++++
+ .../oval/shared.xml                           |  4 +-
+ .../sudo_require_reauthentication/rule.yml    | 14 +------
+ .../tests/multiple_correct_value.fail.sh      | 10 +++++
+ 5 files changed, 87 insertions(+), 15 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+new file mode 100644
+index 00000000000..b0c67a69af9
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+@@ -0,0 +1,36 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
+  find:
+    path: "/etc/sudoers.d"
+    patterns: "*"
+    contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+  register: sudoers_d_defaults_timestamp_timeout
+
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
+  lineinfile:
+    path: "{{ item.path }}"
+    regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+    state: absent
+  with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
+
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
+  lineinfile:
+    path: /etc/sudoers
+    regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
+    line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
+    validate: /usr/sbin/visudo -cf %s
+    backrefs: yes
+  register: edit_sudoers_timestamp_timeout_option
+
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
+  lineinfile: # noqa 503
+    path: /etc/sudoers
+    line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
+    validate: /usr/sbin/visudo -cf %s
+  when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+new file mode 100644
+index 00000000000..0b623ed4a49
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+@@ -0,0 +1,38 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
+
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
+fi
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option timestamp_timeout
+        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
+    else
+        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
+        if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
+            
+            sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
+        fi
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+index 8f404ca6065..dfc319b6f1f 100644
+--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+@@ -6,13 +6,13 @@
+     </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
+     <ind:object object_ref="obj_sudo_timestamp_timeout"/>
+     <ind:state state_ref="state_sudo_timestamp_timeout" />
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
+-    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+index 42c6e28f9e6..eebb96678f1 100644
+--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+@@ -50,16 +50,4 @@ ocil: |-
+     <pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
+     The output should be:
+     <pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
+-
+-template:
+-    name: sudo_defaults_option
+-    vars:
+-        option: timestamp_timeout
+-        variable_name: "var_sudo_timestamp_timeout"
+-        # optional minus char added so remediation can detect properly if item is already configured
+-        option_regex_suffix: '=[-]?\w+\b'
+-    backends:
+-        # Template is not able to accomodate this particular check.
+-        # It needs to check for an integer greater than or equal to zero
+-        oval: "off"
+-        
+    If results are returned from more than one file location, this is a finding.
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+new file mode 100644
+index 00000000000..a258d6632b5
+--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers
+fi
+
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -6,7 +6,7 @@

 Name:		scap-security-guide
 Version:	0.1.60
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -50,6 +50,13 @@ Patch32:	scap-security-guide-0.1.61-ospp-boot-parametersb-PR_8092.patch
 Patch33:	scap-security-guide-0.1.61-ospp-audit.conf-rules-PR_8188.patch
 Patch34:	scap-security-guide-0.1.61-distributed-sshd-rekeylimit-PR_8148.patch
 Patch35:	scap-security-guide-0.1.61-supported-rhel9-PR_8202.patch
+Patch36:	scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
+Patch37:	scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
+Patch38:	scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
+Patch39:	scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
+Patch40:	scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
+Patch41:	scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
+Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -136,6 +143,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif

 %changelog
+* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
+- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
+- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
+- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
+- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
+- Update GRUB2 rule descriptions (RHBZ#2020623)
+- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
+
 * Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
 - Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)