From cd3b90bce2facf8a2c5f6717dfeaab4838e1209e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 14 Feb 2022 19:24:32 +0100
Subject: [PATCH] Updates to RHEL-9.0.0 content

Update sudoers rules in RHEL8 STIG V1R5
Add missing SRG references in RHEL8 STIG V1R5 rules
Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives
Fix GRUB2 rule template to configure the module correctly on RHEL8
Update GRUB2 rule descriptions
Make package_rear_installed not applicable on AARCH64

Resolves: rhbz#2045403
Resolves: rhbz#2014561
Resolves: rhbz#2020623
---
 ...L_08_0103789_include_sudoers-PR_8196.patch | 596 ++++++++++++
 ...uide-0.1.61-add_missing_srgs-PR_8218.patch |  38 +
 ...-guide-0.1.61-chrony_maxpoll-PR_8187.patch | 369 ++++++++
 ....1.61-grub2_rule_desc_update-PR_8184.patch | 854 ++++++++++++++++++
 ...de-0.1.61-grub2_template_fix-PR_8180.patch | 842 +++++++++++++++++
 ...-rear_not_applicable_aarch64-PR_8221.patch | 126 +++
 ...61-sudoers_timestamp_timeout-PR_8220.patch | 163 ++++
 scap-security-guide.spec                      |  17 +-
 8 files changed, 3004 insertions(+), 1 deletion(-)
 create mode 100644 scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
 create mode 100644 scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
 create mode 100644 scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
 create mode 100644 scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
 create mode 100644 scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
 create mode 100644 scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
 create mode 100644 scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch

diff --git a/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch b/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
new file mode 100644
index 0000000..fc41aba
--- /dev/null
+++ b/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
@@ -0,0 +1,596 @@
+From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 15:25:06 +0100
+Subject: [PATCH 1/9] Add rule to check for default sudoers includedir
+
+This rule supports RHEL-08-010379.
+---
+ .../ansible/shared.yml                        |  7 ++++
+ .../sudoers_default_includedir/bash/shared.sh | 11 ++++++
+ .../oval/shared.xml                           | 23 +++++++++++
+ .../sudo/sudoers_default_includedir/rule.yml  | 38 +++++++++++++++++++
+ .../tests/default_includedir.pass.sh          |  7 ++++
+ .../tests/duplicate_includedir.fail.sh        |  7 ++++
+ .../tests/no_includedir.fail.sh               |  4 ++
+ .../tests/two_includedir.fail.sh              |  8 ++++
+ shared/references/cce-redhat-avail.txt        |  3 --
+ 9 files changed, 105 insertions(+), 3 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+new file mode 100644
+index 00000000000..d9d5933285f
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -0,0 +1,7 @@
++# platform = multi_platform_all
++# # reboot = false
++# # strategy = configure
++# # complexity = low
++# # disruption = low
++
++{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+new file mode 100644
+index 00000000000..3a9e2da985b
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -0,0 +1,11 @@
++# platform = multi_platform_all
++
++sudoers_config_file="/etc/sudoers"
++sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
++if [ "$sudoers_includedir_count" -gt 1 ]; then
++    sed -i "/#includedir.*/d" "$sudoers_config_file"
++    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
++fi
++if [ "$sudoers_includedir_count" -eq 0 ]; then
++    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+new file mode 100644
+index 00000000000..5618c64291c
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+@@ -0,0 +1,23 @@
++<def-group>
++  <definition class="compliance" id="{{{ rule_id }}}" version="1">
++    {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
++    <criteria operator="AND">
++      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
++      comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
++    <ind:object object_ref="object_sudoers_default_includedir" />
++    <ind:state state_ref="state_sudoers_default_includedir" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
++    <ind:filepath>/etc/sudoers</ind:filepath>
++    <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++  <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
++    <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
++  </ind:textfilecontent54_state>
++
++</def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+new file mode 100644
+index 00000000000..5c33121f911
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -0,0 +1,38 @@
++documentation_complete: true
++
++prodtype: fedora,rhel7,rhel8,rhel9
++
++title: 'Ensure sudo only includes the default configuration directory'
++
++description: |-
++    Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
++    other directories and configuration files from the file currently being parsed.
++  
++    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
++    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
++    <tt>/etc/sudoers.d</tt>
++    Note that the '#' character doesn't denote a comment in the configuration file.
++
++rationale: |-
++   Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
++   Use of these configuration options makes it easier for one compromised accound to be used to
++   compromise other accounts.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-86277-1
++    cce@rhel8: CCE-86377-9
++    cce@rhel9: CCE-86477-7
++
++references:
++    disa: CCI-000366
++    stigid@rhel8: RHEL-08-010379
++
++ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
++
++ocil: |-
++    To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
++    run the following command:
++    <pre>$ sudo grep 'include' /etc/sudoers</pre>
++    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+new file mode 100644
+index 00000000000..ac0c808ccd6
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# Ensure default config is there
++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+new file mode 100644
+index 00000000000..5bad8225625
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# duplicate default entry
++if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+new file mode 100644
+index 00000000000..1e0ab8aea92
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++sed -i "/#includedir.*/d" /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+new file mode 100644
+index 00000000000..09d14eab630
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# Ensure that there are two different indludedirs
++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
++echo "#includedir /opt/extra_config.d" >> /etc/sudoers
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 41caad9f0d0..f2990adb537 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -340,7 +340,6 @@ CCE-86273-0
+ CCE-86274-8
+ CCE-86275-5
+ CCE-86276-3
+-CCE-86277-1
+ CCE-86278-9
+ CCE-86279-7
+ CCE-86281-3
+@@ -428,7 +427,6 @@ CCE-86373-8
+ CCE-86374-6
+ CCE-86375-3
+ CCE-86376-1
+-CCE-86377-9
+ CCE-86378-7
+ CCE-86379-5
+ CCE-86380-3
+@@ -524,7 +522,6 @@ CCE-86473-6
+ CCE-86474-4
+ CCE-86475-1
+ CCE-86476-9
+-CCE-86477-7
+ CCE-86478-5
+ CCE-86479-3
+ CCE-86480-1
+
+From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 16:21:46 +0100
+Subject: [PATCH 2/9] Select rule in RHEL8 STIG
+
+Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5
+---
+ products/rhel8/profiles/stig.profile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index d92bc72971c..e13bda7a787 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -271,6 +271,9 @@ selections:
+     # RHEL-08-010376
+     - sysctl_kernel_perf_event_paranoid
+ 
++    # RHEL-08-010379
++    - sudoers_default_includedir
++
+     # RHEL-08-010380
+     - sudo_remove_nopasswd
+ 
+
+From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Feb 2022 17:26:59 +0100
+Subject: [PATCH 3/9] Add test and fix for case when the single includedir is
+ wrong
+
+---
+ .../sudo/sudoers_default_includedir/bash/shared.sh         | 7 +++++--
+ .../tests/wrong_includedir.fail.sh                         | 5 +++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 3a9e2da985b..258af02c121 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+ if [ "$sudoers_includedir_count" -gt 1 ]; then
+     sed -i "/#includedir.*/d" "$sudoers_config_file"
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+-fi
+-if [ "$sudoers_includedir_count" -eq 0 ]; then
++elif [ "$sudoers_includedir_count" -eq 0 ]; then
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
++else
++    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
++        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
++    fi
+ fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+new file mode 100644
+index 00000000000..55a072adf3c
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++sed -i "/#includedir.*/d" /etc/sudoers
++echo "#includedir /opt/extra_config.d" >> /etc/sudoers
+
+From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 14:50:11 +0100
+Subject: [PATCH 4/9] Add tests for sudo file and dir includes in
+ /etc/sudoers.d
+
+---
+ .../tests/sudoers.d_with_include.fail.sh              |  9 +++++++++
+ .../tests/sudoers.d_with_includedir.fail.sh           |  9 +++++++++
+ .../tests/sudoers_with_include.fail.sh                | 11 +++++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+new file mode 100644
+index 00000000000..554ef2e060d
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# Ensure default config is there
++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
++
++echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+new file mode 100644
+index 00000000000..516b68b5a3e
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# Ensure default config is there
++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
++
++echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+new file mode 100644
+index 00000000000..ad04880e334
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# platform = multi_platform_all
++
++# Ensure default config is there
++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
++    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
++fi
++
++if ! grep -q "#include " /etc/sudoers; then
++    echo "#include /etc/my-sudoers" >> /etc/sudoers
++fi
+
+From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 14:59:18 +0100
+Subject: [PATCH 5/9] Update rule catch and remove other sudo includes
+
+Any other #include or #includedir besides:
+"/etc/sudoers: #includedir /etc/sudoers.d" should be removed.
+---
+ .../ansible/shared.yml                        | 14 +++++++++++
+ .../sudoers_default_includedir/bash/shared.sh |  7 ++++--
+ .../oval/shared.xml                           | 23 +++++++++++++++++++
+ .../sudo/sudoers_default_includedir/rule.yml  |  7 +++---
+ 4 files changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+index d9d5933285f..175a447e0d9 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -5,3 +5,17 @@
+ # # disruption = low
+ 
+ {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
++{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
++- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
++  find:
++    path: "/etc/sudoers.d"
++    patterns: "*"
++    contains: '^#include(dir)?\s.*$'
++  register: sudoers_d_includes
++
++- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
++  lineinfile:
++    path: "{{ item.path }}"
++    regexp: '^#include(dir)?\s.*$'
++    state: absent
++  with_items: "{{ sudoers_d_includes.files }}"
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 258af02c121..2d00b471677 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -1,6 +1,7 @@
+ # platform = multi_platform_all
+ 
+ sudoers_config_file="/etc/sudoers"
++sudoers_config_dir="/etc/sudoers.d"
+ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+ if [ "$sudoers_includedir_count" -gt 1 ]; then
+     sed -i "/#includedir.*/d" "$sudoers_config_file"
+@@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then
+ elif [ "$sudoers_includedir_count" -eq 0 ]; then
+     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+ else
+-    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
+-        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
++    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
++        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+     fi
+ fi
++sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
++sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+index 5618c64291c..59cab0b89de 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+@@ -3,6 +3,8 @@
+     {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+     <criteria operator="AND">
+       <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
++      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
++      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+     </criteria>
+   </definition>
+ 
+@@ -20,4 +22,25 @@
+     <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+   </ind:textfilecontent54_state>
+ 
++  <ind:textfilecontent54_test check="all" check_existence="none_exist"
++      comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
++    <ind:object object_ref="object_sudoers_without_include" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
++    <ind:filepath>/etc/sudoers</ind:filepath>
++    <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist"
++      comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
++    <ind:object object_ref="object_sudoersd_without_includes" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
++    <ind:path>/etc/sudoers.d/</ind:path>
++    <ind:filename operation="pattern match">.*</ind:filename>
++    <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
+ </def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+index 5c33121f911..3a8c22ac8af 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -10,7 +10,7 @@ description: |-
+   
+     Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+     The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+-    <tt>/etc/sudoers.d</tt>
++    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+     Note that the '#' character doesn't denote a comment in the configuration file.
+ 
+ rationale: |-
+@@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other
+ ocil: |-
+     To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+     run the following command:
+-    <pre>$ sudo grep 'include' /etc/sudoers</pre>
+-    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
++    <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
++    If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
++    Any other line returned is a finding.
+
+From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 15:00:46 +0100
+Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir
+
+---
+ .../system/software/sudo/sudoers_default_includedir/rule.yml     | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+index 3a8c22ac8af..a97bd3efb2c 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+@@ -27,6 +27,7 @@ identifiers:
+ 
+ references:
+     disa: CCI-000366
++    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-010379
+ 
+ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 16:12:32 +0100
+Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data
+
+---
+ tests/data/profile_stability/rhel8/stig.profile     | 1 +
+ tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index e4fee44f9f9..974b28757e9 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -365,6 +365,7 @@ selections:
+ - sudo_remove_nopasswd
+ - sudo_require_reauthentication
+ - sudo_restrict_privilege_elevation_to_authorized
++- sudoers_default_includedir
+ - sudoers_validate_passwd
+ - sysctl_crypto_fips_enabled
+ - sysctl_fs_protected_hardlinks
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 83d04775e3a..99e0af4f5a6 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -376,6 +376,7 @@ selections:
+ - sudo_remove_nopasswd
+ - sudo_require_reauthentication
+ - sudo_restrict_privilege_elevation_to_authorized
++- sudoers_default_includedir
+ - sudoers_validate_passwd
+ - sysctl_crypto_fips_enabled
+ - sysctl_fs_protected_hardlinks
+
+From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 16:59:22 +0100
+Subject: [PATCH 8/9] Fix Ansible remediation metadata
+
+---
+ .../sudo/sudoers_default_includedir/ansible/shared.yml    | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+index 175a447e0d9..0d8c9e75184 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
+@@ -1,8 +1,8 @@
+ # platform = multi_platform_all
+-# # reboot = false
+-# # strategy = configure
+-# # complexity = low
+-# # disruption = low
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
+ 
+ {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+ {{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+
+From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Feb 2022 17:39:39 +0100
+Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist
+
+The remediation skips the directory, and the test scenarios create the
+dir to ensure the test scenario works.
+---
+ .../sudo/sudoers_default_includedir/bash/shared.sh        | 8 ++++++--
+ .../tests/sudoers.d_with_include.fail.sh                  | 1 +
+ .../tests/sudoers.d_with_includedir.fail.sh               | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+index 2d00b471677..fbff5eb6f30 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
+@@ -13,5 +13,9 @@ else
+         sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+     fi
+ fi
+-sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
+-sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
++
++sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
++
++if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
++    sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+index 554ef2e060d..3f14ecc1627 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ # platform = multi_platform_all
+ 
++mkdir -p /etc/sudoers.d
+ # Ensure default config is there
+ if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+     echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+index 516b68b5a3e..89515076ff1 100644
+--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ # platform = multi_platform_all
+ 
++mkdir -p /etc/sudoers.d
+ # Ensure default config is there
+ if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+     echo "#includedir /etc/sudoers.d" >> /etc/sudoers
diff --git a/scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch b/scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
new file mode 100644
index 0000000..2ff9d14
--- /dev/null
+++ b/scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
@@ -0,0 +1,38 @@
+From 8605b236665b1022c7379e87d9445c9ca42e78f3 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 11:41:15 +0100
+Subject: [PATCH] Add SRG references to STIG rules.
+
+Rules accounts_password_pam_pwquality_password_auth and accounts_password_pam_pwquality_system_auth
+were missing SRG required references.
+---
+ .../accounts_password_pam_pwquality_password_auth/rule.yml      | 2 ++
+ .../accounts_password_pam_pwquality_system_auth/rule.yml        | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+index 6c7bb1ad7a0..34dd6e2fcca 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
+@@ -22,6 +22,8 @@ identifiers:
+     cce@rhel9: CCE-85878-7
+ 
+ references:
++    disa: CCI-000366
++    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-020100
+ 
+ ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+index ea42ff9b07a..a5189c61608 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
+@@ -22,6 +22,8 @@ identifiers:
+     cce@rhel9: CCE-85873-8
+ 
+ references:
++    disa: CCI-000366
++    srg: SRG-OS-000480-GPOS-00227
+     stigid@rhel8: RHEL-08-020101
+ 
+ ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
diff --git a/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch b/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
new file mode 100644
index 0000000..f8f14d1
--- /dev/null
+++ b/scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
@@ -0,0 +1,369 @@
+From bbafe0a7b4b9eb50bc622d9f9f3c0074fca932f9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 9 Feb 2022 16:17:52 +0100
+Subject: [PATCH 1/2] Pass the rule when no time server nor pool is set
+
+If no time server or pool is configured, there is no entry to add
+maxpoll option to, so the rule should evaluate to pass.
+---
+ .../oval/shared.xml                           | 50 +++++++++++++++----
+ .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml  |  2 +
+ .../tests/chrony_no_pool_nor_servers.pass.sh  | 12 +++++
+ 3 files changed, 54 insertions(+), 10 deletions(-)
+ create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+index 780c2e2d0ba..76f810123f3 100644
+--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
+@@ -3,17 +3,25 @@
+     {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
+       to continuously poll the time source servers.") }}}
+     <criteria operator="OR">
+-      <criteria operator="AND">
+-        <criterion comment="check if maxpoll is set in /etc/ntp.conf"
+-        test_ref="test_ntp_set_maxpoll" />
+-        <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
+-        test_ref="test_ntp_all_server_has_maxpoll"/>
++      <criteria operator="OR">
++        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
++          test_ref="test_ntp_no_server"/>
++        <criteria operator="AND">
++          <criterion comment="check if maxpoll is set in /etc/ntp.conf"
++          test_ref="test_ntp_set_maxpoll" />
++          <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
++          test_ref="test_ntp_all_server_has_maxpoll"/>
++        </criteria>
+       </criteria>
+-      <criteria operator="AND">
+-        <criterion comment="check if maxpoll is set in /etc/chrony.conf"
+-        test_ref="test_chrony_set_maxpoll" />
+-        <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
+-        test_ref="test_chrony_all_server_has_maxpoll"/>
++      <criteria operator="OR">
++        <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
++          test_ref="test_chrony_no_server_nor_pool"/>
++        <criteria operator="AND">
++          <criterion comment="check if maxpoll is set in /etc/chrony.conf"
++          test_ref="test_chrony_set_maxpoll" />
++          <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
++          test_ref="test_chrony_all_server_has_maxpoll"/>
++        </criteria>
+       </criteria>
+     </criteria>
+   </definition>
+@@ -77,4 +85,26 @@
+     <ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
+   </ind:textfilecontent54_state>
+ 
++  <ind:textfilecontent54_test check="all" check_existence="none_exist"
++  comment="check if no server entries have server or pool set in /etc/chrony.conf"
++  id="test_chrony_no_server_nor_pool" version="1">
++    <ind:object object_ref="obj_chrony_no_server_nor_pool" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
++    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
++    <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++  comment="check if all server entries have maxpoll set in /etc/ntp.conf"
++  id="test_ntp_no_server" version="1">
++    <ind:object object_ref="obj_ntp_no_server_nor_pool" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
++    <ind:filepath>/etc/ntp.conf</ind:filepath>
++    <ind:pattern operation="pattern match">^server.*</ind:pattern>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
+ </def-group>
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+index 20e7467a7b5..c115ad3c115 100644
+--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+@@ -13,6 +13,8 @@ description: |-
+     <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
+     to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
+     should be configured too.
++    If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
++    to pass.
+     {{% if product == "rhcos4" %}}
+     <p>
+     Note that if the remediation shipping with this content is being used, the
+diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+new file mode 100644
+index 00000000000..bbae20fc696
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# packages = chrony
++#
++# profiles = xccdf_org.ssgproject.content_profile_stig
++
++yum remove -y ntp
++
++# Remove all pool and server options
++sed -i "/^pool.*/d" /etc/chrony.conf
++sed -i "/^server.*/d" /etc/chrony.conf
++
++systemctl enable chronyd.service
+
+From 60ef6eb2cce9e53ea256738ff2583b332155a318 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 11 Feb 2022 12:14:30 +0100
+Subject: [PATCH 2/2] Add rule ensuring Chrony only uses server directive
+
+This new rule only asserts that Chrony has at least one time source configured,
+and that it is done with the  'server' directive.
+No remediation is provided for rule, that is left for other specialized
+rules.
+---
+ .../chronyd_server_directive/oval/shared.xml  | 33 +++++++++++++++++++
+ .../ntp/chronyd_server_directive/rule.yml     | 32 ++++++++++++++++++
+ .../tests/file_empty.fail.sh                  |  6 ++++
+ .../tests/file_missing.fail.sh                |  6 ++++
+ .../tests/line_missing.fail.sh                |  7 ++++
+ .../tests/multiple_servers.pass.sh            |  8 +++++
+ .../tests/only_pool.fail.sh                   |  9 +++++
+ .../tests/only_server.pass.sh                 |  6 ++++
+ products/rhel8/profiles/stig.profile          |  1 +
+ products/rhel9/profiles/stig.profile          |  1 +
+ shared/references/cce-redhat-avail.txt        |  2 --
+ .../data/profile_stability/rhel8/stig.profile |  1 +
+ .../profile_stability/rhel8/stig_gui.profile  |  1 +
+ 13 files changed, 111 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+ create mode 100644 linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+new file mode 100644
+index 00000000000..2244e608047
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
+@@ -0,0 +1,33 @@
++<def-group>
++  <definition class="compliance" id="{{{ rule_id }}}" version="1">
++    {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
++    <criteria comment="chrony.conf only has server directive">
++      <criterion test_ref="test_chronyd_server_directive_with_server" />
++      <criterion test_ref="test_chronyd_server_directive_no_pool" />
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
++  comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
++  version="1">
++    <ind:object object_ref="object_chronyd_server_directive" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
++  id="object_chronyd_server_directive" version="1">
++    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
++    <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist"
++  comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
++  version="1">
++    <ind:object object_ref="object_chronyd_no_pool_directive" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
++  id="object_chronyd_no_pool_directive" version="1">
++    <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
++    <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+new file mode 100644
+index 00000000000..6dc24f1be85
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
+@@ -0,0 +1,32 @@
++documentation_complete: true
++
++title: 'Ensure Chrony is only configured with the server directive'
++
++description: |-
++    Check that Chrony only has time sources configured with the <tt>server</tt> directive.
++
++rationale: |-
++    Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
++
++severity: medium
++
++platform: chrony
++
++warnings:
++  - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
++
++identifiers:
++    cce@rhel8: CCE-86077-5
++    cce@rhel9: CCE-87077-4
++
++references:
++    disa: CCI-001891
++    srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
++    stigid@rhel8: RHEL-08-030740
++
++ocil_clause: 'a remote time server is not configured or configured with pool directive'
++
++ocil: |-
++    Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
++    <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
++    A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+new file mode 100644
+index 00000000000..d1ba0755198
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++# remediation = none
++
++echo "" > /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+new file mode 100644
+index 00000000000..12a50ebc3d2
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++# remediation = none
++
++rm -f /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+new file mode 100644
+index 00000000000..bffa8b62b1b
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++# remediation = none
++
++echo "some line" > /etc/chrony.conf
++echo "another line" >> /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+new file mode 100644
+index 00000000000..5527f389316
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++# remediation = none
++
++sed -i "^pool.*" /etc/chrony.conf
++echo "server 0.pool.ntp.org" > /etc/chrony.conf
++echo "server 1.pool.ntp.org" >> /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+new file mode 100644
+index 00000000000..616fe8844fc
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++# remediation = none
++
++sed -i "^server.*" /etc/chrony.conf
++if ! grep "^pool.*" /etc/chrony.conf; then
++    echo "pool 0.pool.ntp.org" > /etc/chrony.conf
++fi
+diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+new file mode 100644
+index 00000000000..21a70dc4900
+--- /dev/null
++++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# packages = chrony
++# platform = multi_platform_fedora,multi_platform_rhel
++
++sed -i "^pool.*" /etc/chrony.conf
++echo "server 0.pool.ntp.org" > /etc/chrony.conf
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 36f606ee461..2bd1fb54316 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -909,6 +909,7 @@ selections:
+     # RHEL-08-030740
+     # remediation fails because default configuration file contains pool instead of server keyword
+     - chronyd_or_ntpd_set_maxpoll
++    - chronyd_server_directive
+ 
+     # RHEL-08-030741
+     - chronyd_client_only
+diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
+index 374932cfd32..0d4d7b0ff97 100644
+--- a/products/rhel9/profiles/stig.profile
++++ b/products/rhel9/profiles/stig.profile
+@@ -909,6 +909,7 @@ selections:
+     # RHEL-08-030740
+     # remediation fails because default configuration file contains pool instead of server keyword
+     - chronyd_or_ntpd_set_maxpoll
++    - chronyd_server_directive
+ 
+     # RHEL-08-030741
+     - chronyd_client_only
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 8c59c5d3201..0081fe1938f 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -152,7 +152,6 @@ CCE-86073-4
+ CCE-86074-2
+ CCE-86075-9
+ CCE-86076-7
+-CCE-86077-5
+ CCE-86078-3
+ CCE-86079-1
+ CCE-86080-9
+@@ -1079,7 +1078,6 @@ CCE-87073-3
+ CCE-87074-1
+ CCE-87075-8
+ CCE-87076-6
+-CCE-87077-4
+ CCE-87078-2
+ CCE-87079-0
+ CCE-87080-8
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 5b06103d72e..7d44f8910d1 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -160,6 +160,7 @@ selections:
+ - chronyd_client_only
+ - chronyd_no_chronyc_network
+ - chronyd_or_ntpd_set_maxpoll
++- chronyd_server_directive
+ - clean_components_post_updating
+ - configure_bashrc_exec_tmux
+ - configure_bind_crypto_policy
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index 11e0ee9515a..91546d1d418 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -171,6 +171,7 @@ selections:
+ - chronyd_client_only
+ - chronyd_no_chronyc_network
+ - chronyd_or_ntpd_set_maxpoll
++- chronyd_server_directive
+ - clean_components_post_updating
+ - configure_bashrc_exec_tmux
+ - configure_bind_crypto_policy
diff --git a/scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch b/scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
new file mode 100644
index 0000000..dd65877
--- /dev/null
+++ b/scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
@@ -0,0 +1,854 @@
+From 51a826878ade2ebb564405991937ba0e2b2b7717 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 2 Feb 2022 14:25:30 +0100
+Subject: [PATCH 1/8] create two macros
+
+one provides description for grub2_argument templated rules
+the second provides ocil for those cases
+---
+ shared/macros.jinja | 56 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 00358e2f67c..3d41c998b0c 100644
+--- a/shared/macros.jinja
++++ b/shared/macros.jinja
+@@ -1620,3 +1620,59 @@ The audit daemon must be restarted for the changes to take effect.
+ - no_ovirt
+ {{%- endif %}}
+ {{% endmacro %}}
++
++{{#
++    Describe how to configure Grub2 to add an argument to the default kernel command line.
++    The parameter should be in form `parameter=value`.
++#}}
++{{%- macro describe_grub2_argument(arg_name_value) -%}}
++{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
++To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
++argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
++default Grub2 command line for Linux operating systems.  Modify the line within
++<tt>/etc/default/grub</tt> as shown below:
++<pre>GRUB_CMDLINE_LINUX="... {{{ arg_name_value }}} ..."</pre>
++Run the following command to update command line for already installed kernels:
++{{%- if 'ubuntu' in product -%}}
++<pre># update-grub</pre>
++{{%- else -%}}
++<pre># grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"</pre>
++{{%- endif -%}}
++{{%- else -%}}
++Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
++<pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
++{{%- endif -%}}
++{{%- endmacro -%}}
++
++{{#
++    Provide OCIL for checking if an argument for kernel command line is configured with Grub2.
++    The parameter should have form `parameter=value`.
++#}}
++{{%- macro ocil_grub2_argument(arg_name_value) -%}}
++{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
++Inspect the form of default GRUB 2 command line for the Linux operating system
++in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
++then auditinng will be enabled for newly installed kernels.
++First check if the GRUB recovery is enabled:
++<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
++If this option is set to true, then check that a line is output by the following command:
++<pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>
++If the recovery is disabled, check the line with
++<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
++{{%- if 'ubuntu' in product -%}}
++Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
++<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
++This command should not return any output.
++{{%- else -%}}
++Moreover, command line parameters for currently installed kernels should be checked as well.
++Run the following command:
++<pre># grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'</pre>
++The command should not return any output.
++{{%- endif -%}}
++{{%- else -%}}
++Inspect the form of default GRUB 2 command line for the Linux operating system
++in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
++is enabled at boot time.
++<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
++{{%- endif -%}}
++{{%- endmacro -%}}
+
+From c8cb579db19bd55eebcb0bdc4b1432368a5c1b77 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 2 Feb 2022 14:26:26 +0100
+Subject: [PATCH 2/8] use new macros in grub2_audit_argument
+
+---
+ .../auditing/grub2_audit_argument/rule.yml    | 45 ++-----------------
+ 1 file changed, 3 insertions(+), 42 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index 96dbe67699e..aff0521ee73 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -7,15 +7,8 @@ title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
+ description: |-
+     To ensure all processes can be audited, even those which start
+     prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-{{% if product in ["rhel7", "ol7"] %}}
+-    <tt>/etc/default/grub</tt>, so that the line looks similar to
+-    <pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
+-    In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+-{{% else %}}
+-    <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
+-    <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
+-{{% endif %}}
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("audit=1") | indent(4) }}}
+ 
+ rationale: |-
+     Each process on the system carries an "auditable" flag which indicates whether
+@@ -59,39 +52,7 @@ references:
+ ocil_clause: 'auditing is not enabled at boot time'
+ 
+ ocil: |-
+-{{% if product in ["rhel7", "ol7", "sle12","sle15"] %}}
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    First check if the GRUB recovery is enabled:
+-    <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+-    If this option is set to true, then check that a line is output by the following command:
+-    <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub</pre>
+-    If the recovery is disabled, check the line with
+-    <pre>$ grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub</pre>.
+-    Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+-    <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'audit=1'</pre>
+-    This command should not return any output. If it does, update the configuration with
+-    <pre># grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    <br /><br />
+-    Alternatively, to ensure <tt>audit=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"</pre>
+-    <br />
+-{{% else %}}
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    <pre># grep 'kernelopts.*audit=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    <br /><br />
+-    To ensure <tt>audit=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
+-    <br />
+-{{% endif %}}
+-
++    {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+
+From 3ff2c245408d3fe892222eee8171e2f84868f705 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 3 Feb 2022 14:25:34 +0100
+Subject: [PATCH 3/8] fix omission  in ocil jinja macro
+
+---
+ shared/macros.jinja | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 3d41c998b0c..16a0404b668 100644
+--- a/shared/macros.jinja
++++ b/shared/macros.jinja
+@@ -1652,7 +1652,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
+ {{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
+-then auditinng will be enabled for newly installed kernels.
++then the parameter will be configured for newly installed kernels.
+ First check if the GRUB recovery is enabled:
+ <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+ If this option is set to true, then check that a line is output by the following command:
+@@ -1671,8 +1671,8 @@ The command should not return any output.
+ {{%- endif -%}}
+ {{%- else -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
+-is enabled at boot time.
++in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
++is configured at boot time.
+ <pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+ {{%- endif -%}}
+ {{%- endmacro -%}}
+
+From 976da69681d03d9b9380fc57216c30c7b4891f50 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 3 Feb 2022 14:26:33 +0100
+Subject: [PATCH 4/8] use new jinja macros in all grub2 related rules
+
+---
+ .../rule.yml                                  | 15 ++-----
+ .../grub2_enable_iommu_force/rule.yml         |  9 +++-
+ .../grub2_init_on_alloc_argument/rule.yml     | 18 ++------
+ .../grub2_kernel_trust_cpu_rng/rule.yml       | 11 ++---
+ .../grub2_pti_argument/rule.yml               | 15 ++-----
+ .../grub2_vsyscall_argument/rule.yml          | 15 ++-----
+ .../grub2_ipv6_disable_argument/rule.yml      | 45 ++-----------------
+ .../grub2_page_poison_argument/rule.yml       | 15 ++-----
+ .../grub2_slub_debug_argument/rule.yml        | 15 ++-----
+ 9 files changed, 33 insertions(+), 125 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index f94ddab2fe1..868d525014f 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon'
+ description: |-
+     To improve the kernel capacity to queue all log events, even those which occurred
+     prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"</pre>
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+ rationale: |-
+     audit_backlog_limit sets the queue length for audit events awaiting transfer
+@@ -40,15 +39,7 @@ references:
+ ocil_clause: 'audit backlog limit is not configured'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>audit=1</tt>, then auditing
+-    is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>audit_backlog_limit=8192</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"</pre>
+-    <br />
++    {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+index 0a0d76aeb23..1ff5a4d5f26 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+@@ -5,9 +5,10 @@ title: 'IOMMU configuration directive'
+ description: |-
+     On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
+         of the system critical units such as the memory.
++    {{{ describe_grub2_argument("iommu=force") | indent(4) }}}
+ 
+ rationale: |-
+-    On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by
++    On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
+         hardware devices.
+ 
+ severity: unknown
+@@ -22,6 +23,12 @@ references:
+ 
+ platform: machine
+ 
++ocil_clause: 'I/OMMU is not activated'
++
++ocil: |-
++    {{{ ocil_grub2_argument("iommu=force") | indent(4) }}}
++
++
+ warnings:
+   - functionality:
+       Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+index a9253c74cc6..3bb645dadb7 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+@@ -6,12 +6,8 @@ title: 'Configure kernel to zero out memory before allocation'
+ 
+ description: |-
+     To configure the kernel to zero out memory before allocating it, add the
+-    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
+-    the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
+-    below:
+-    <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
+-    Update the boot parameter for existing kernels by running the following command:
+-    <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
++    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line.
++    {{{ describe_grub2_argument("init_on_alloc=1") | indent(4) }}}
+ 
+ rationale: |-
+     When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
+@@ -27,15 +23,7 @@ identifiers:
+ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
+ 
+ ocil: |-
+-    Make sure that the kernel is configured to zero out memory before
+-    allocation. Ensure that the parameter is configured in
+-    <tt>/etc/default/grub</tt>:
+-    <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
+-    The output should contain <tt>init_on_alloc=1</tt>.
+-    Run the following command to display command line parameters of all
+-    installed kernels:
+-    <pre># grubby --info=ALL | grep args</pre>
+-    Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
++    {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
+ 
+ platform: machine
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+index 308ae9cb735..d6bfc02f345 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+@@ -11,8 +11,8 @@ description: |-
+     <tt>Y</tt>, make sure that it is not overridden with the boot parameter.
+     There must not exist the boot parameter <tt>random.trust_cpu=off</tt>. If
+     the option is not compiled in, make sure that <tt>random.trust_cpu=on</tt>
+-    is configured as a boot parameter by running the following command:
+-    <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"</pre>
++    is configured as a boot parameter.
++    {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}}
+ 
+ rationale: |-
+     The Linux kernel offers an option which signifies if the kernel should trust
+@@ -44,11 +44,8 @@ ocil: |-
+     option is not overridden through a boot parameter:
+     <pre>sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv</pre>
+     The command should not return any output. If the option is not compiled into
+-    the kernel, check that the option is configured through boot parameter with
+-    the following command:
+-    <pre>sudo grep 'kernelopts.*random\.trust_cpu=on.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    If the command does not return any output, then the boot parameter is
+-    missing.
++    the kernel, check that the option is configured through boot parameter.
++    {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
+ 
+ platform: machine
+ 
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+index f4f3fa39510..51b0a284746 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable Kernel Page-Table Isolation (KPTI)'
+ description: |-
+     To enable Kernel page-table isolation,
+     add the argument <tt>pti=on</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="pti=on"</pre>
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("pti=on") | indent(4) }}}
+ 
+ rationale: |-
+     Kernel page-table isolation is a kernel feature that mitigates
+@@ -33,15 +32,7 @@ references:
+ ocil_clause: 'Kernel page-table isolation is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>pti=on</tt>,
+-    then Kernel page-table isolation is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>pti=on</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on</pre>
+-    <br />
++    {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+index 9f38a1c13b9..1b88d13bd3c 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Disable vsyscalls'
+ description: |-
+     To disable use of virtual syscalls,
+     add the argument <tt>vsyscall=none</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="vsyscall=none"</pre>
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+ rationale: |-
+     Virtual Syscalls provide an opportunity of attack for a user who has control
+@@ -33,15 +32,7 @@ references:
+ ocil_clause: 'vsyscalls are enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
+-    then virtyal syscalls are not enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none</pre>
+-    <br />
++    {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+index b8ff66c7d6e..c0fda343a1a 100644
+--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+@@ -7,20 +7,8 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
+ description: |-
+     To disable IPv6 protocol support in the Linux kernel,
+     add the argument <tt>ipv6.disable=1</tt> to the default
+-    GRUB2 command line for the Linux operating system in
+-{{% if product in ["rhel7", "ol7"] %}}
+-    <tt>/etc/default/grub</tt>, so that the line looks similar to
+-    <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
+-    In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+-    Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
+-    <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    or
+-    <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+-{{% else %}}
+-    <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
+-    <pre>sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+-{{% endif %}}
+-
++    GRUB2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+ rationale: |-
+     Any unnecessary network stacks, including IPv6, should be disabled to reduce
+@@ -40,34 +28,7 @@ references:
+ ocil_clause: 'IPv6 is not disabled'
+ 
+ ocil: |-
+-    {{% if product in ["rhel7", "ol7"] %}}
+-    Inspect the form of default GRUB2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
+-    First check if the GRUB recovery is enabled:
+-    <pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+-    If this option is set to true, then check that the following line is output by the following command:
+-    <pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
+-    If the recovery is disabled, check the line with
+-    <pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
+-    Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+-    <pre>sudo grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'ipv6.disable=1'</pre>
+-    This command should not return any output. If it does, update the configuration with one of following commands:
+-    <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+-    or
+-    <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+-    <br />
+-{{% else %}}
+-    Inspect the form of default GRUB2 command line for the Linux operating system
+-    in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
+-    <pre>sudo grep 'kernelopts.*ipv6.disable=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
+-    <br /><br />
+-    To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+-    <br />
+-{{% endif %}}
+-
++    {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index 3bf592fb4d8..1f4e183d9e7 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable page allocator poisoning'
+ description: |-
+     To enable poisoning of free pages,
+     add the argument <tt>page_poison=1</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="page_poison=1"</pre>
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed pages, so any modification or
+@@ -35,15 +34,7 @@ references:
+ ocil_clause: 'page allocator poisoning is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
+-    then page poisoning is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1</pre>
+-    <br />
++    {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index 9964399650a..bb5dbc6c125 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -7,9 +7,8 @@ title: 'Enable SLUB/SLAB allocator poisoning'
+ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     add the argument <tt>slub_debug=P</tt> to the default
+-    GRUB 2 command line for the Linux operating system in
+-    <tt>/etc/default/grub</tt>, in the manner below:
+-    <pre>GRUB_CMDLINE_LINUX="slub_debug=P"</pre>
++    GRUB 2 command line for the Linux operating system.
++    {{{ describe_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed objects, so any modification or
+@@ -35,15 +34,7 @@ references:
+ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+ 
+ ocil: |-
+-    Inspect the form of default GRUB 2 command line for the Linux operating system
+-    in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
+-    then SLUB/SLAB poisoning is enabled at boot time.
+-    <br /><br />
+-    To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
+-    following command may be used:
+-    <br />
+-    <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P</pre>
+-    <br />
++    {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+ warnings:
+     - management: |-
+
+From 5c39cf81d49f0eb5bb73337057fb95356784e5c6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 9 Feb 2022 16:05:59 +0100
+Subject: [PATCH 5/8] fix an error in ubuntu version of macro
+
+---
+ shared/macros.jinja | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 16a0404b668..54d2b299a47 100644
+--- a/shared/macros.jinja
++++ b/shared/macros.jinja
+@@ -1660,7 +1660,7 @@ If this option is set to true, then check that a line is output by the following
+ If the recovery is disabled, check the line with
+ <pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
+ {{%- if 'ubuntu' in product -%}}
+-Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
++Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
+ <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
+ This command should not return any output.
+ {{%- else -%}}
+
+From f100d190833d168127715215e788347f806736f3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 9 Feb 2022 16:16:21 +0100
+Subject: [PATCH 6/8] remove warnings from rules
+
+they are no longer relevant, we do not use grub2-mkconfig anymore
+---
+ .../auditing/grub2_audit_argument/rule.yml     | 18 ------------------
+ .../rule.yml                                   | 18 ------------------
+ .../grub2_pti_argument/rule.yml                | 18 ------------------
+ .../grub2_vsyscall_argument/rule.yml           | 18 ------------------
+ .../grub2_ipv6_disable_argument/rule.yml       | 18 ------------------
+ .../grub2_page_poison_argument/rule.yml        | 18 ------------------
+ .../grub2_slub_debug_argument/rule.yml         | 18 ------------------
+ 7 files changed, 126 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index aff0521ee73..00a4ded2738 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -54,24 +54,6 @@ ocil_clause: 'auditing is not enabled at boot time'
+ ocil: |-
+     {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index 868d525014f..efbc3dae1c1 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -41,24 +41,6 @@ ocil_clause: 'audit backlog limit is not configured'
+ ocil: |-
+     {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+index 51b0a284746..52a308e3247 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+@@ -34,24 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel8", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: machine
+ 
+ template:
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+index 1b88d13bd3c..93eb31dad7b 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+@@ -34,24 +34,6 @@ ocil_clause: 'vsyscalls are enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: machine
+ 
+ template:
+diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+index c0fda343a1a..9e1ca48efe0 100644
+--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+@@ -30,24 +30,6 @@ ocil_clause: 'IPv6 is not disabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command:
+-        <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command:
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
+-        <pre>sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index 1f4e183d9e7..1ad6c6b3c44 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -36,24 +36,6 @@ ocil_clause: 'page allocator poisoning is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index bb5dbc6c125..e40f5377c61 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -36,24 +36,6 @@ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+ ocil: |-
+     {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
+ 
+-warnings:
+-    - management: |-
+-        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+-        is automatically updated each time a new kernel is installed. Note that any
+-        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+-        file. To update the GRUB 2 configuration file manually, use the
+-        <pre>grub2-mkconfig -o</pre> command as follows:
+-        <ul>
+-        <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+-        <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
+-        <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+-{{% else %}}
+-        <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+-{{% endif %}}
+-        </ul>
+-
+ platform: grub2
+ 
+ template:
+
+From bbc3cc093004efd0457ccb33722a4fb14b0b2fb8 Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Mon, 14 Feb 2022 14:29:15 +0100
+Subject: [PATCH 7/8] Update shared/macros.jinja
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Matěj Týč <matej.tyc@gmail.com>
+---
+ shared/macros.jinja | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 54d2b299a47..392181e2b24 100644
+--- a/shared/macros.jinja
++++ b/shared/macros.jinja
+@@ -1671,7 +1671,12 @@ The command should not return any output.
+ {{%- endif -%}}
+ {{%- else -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
++{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}}
++in <tt>{{{ grub2_boot_path }}}/grubenv</tt>.
++{{%- else -%}}
++in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
++{{%- endif %}}
++If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+ is configured at boot time.
+ <pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
+ {{%- endif -%}}
+
+From 8121376668b43d21cf0f9700994bc011c3e313d7 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 14 Feb 2022 15:17:33 +0100
+Subject: [PATCH 8/8] more modifications to description and ocil
+
+final touches
+---
+ shared/macros.jinja | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/shared/macros.jinja b/shared/macros.jinja
+index 392181e2b24..a89bac12f53 100644
+--- a/shared/macros.jinja
++++ b/shared/macros.jinja
+@@ -1626,7 +1626,7 @@ The audit daemon must be restarted for the changes to take effect.
+     The parameter should be in form `parameter=value`.
+ #}}
+ {{%- macro describe_grub2_argument(arg_name_value) -%}}
+-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
++{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
+ To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
+ argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
+ default Grub2 command line for Linux operating systems.  Modify the line within
+@@ -1649,7 +1649,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
+     The parameter should have form `parameter=value`.
+ #}}
+ {{%- macro ocil_grub2_argument(arg_name_value) -%}}
+-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
++{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
+ then the parameter will be configured for newly installed kernels.
+@@ -1660,8 +1660,12 @@ If this option is set to true, then check that a line is output by the following
+ If the recovery is disabled, check the line with
+ <pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
+ {{%- if 'ubuntu' in product -%}}
+-Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
+-<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
++Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found
++either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
++If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
++is configured at boot time.
++<pre># grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'</pre>
++Fill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.
+ This command should not return any output.
+ {{%- else -%}}
+ Moreover, command line parameters for currently installed kernels should be checked as well.
+@@ -1678,6 +1682,7 @@ in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt>
+ {{%- endif %}}
+ If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
+ is configured at boot time.
+-<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
++<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION</pre>
++Fill in <tt>GRUBENV_FILE_LOCATION</tt> based on information above.
+ {{%- endif -%}}
+ {{%- endmacro -%}}
diff --git a/scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch b/scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
new file mode 100644
index 0000000..75a44a7
--- /dev/null
+++ b/scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
@@ -0,0 +1,842 @@
+From 1bd88bbdc7ce8b6e2265f323cd3a777ef2240e6b Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Fri, 28 Jan 2022 17:11:56 +0100
+Subject: [PATCH 1/5] Change the grub2 bootloader argument template
+
+- Introduce the concept of product-specific bootloader config
+  properties that determine the check/remediation form.
+- Expand the RHEL8 remediation with a check for update of
+  /etc/default/grub contents.
+- Add a RHEL8 check that looks for kernelopts references in loader entries.
+- Update tests.
+---
+ .../grub2_entries_reference_kernelopts.xml    | 25 +++++
+ .../ansible.template                          | 35 ++++++-
+ .../grub2_bootloader_argument/bash.template   | 48 +++++++--
+ .../grub2_bootloader_argument/oval.template   | 97 +++++++++++++------
+ .../arg_not_there_etcdefaultgrub.fail.sh      |  2 +-
+ ....fail.sh => arg_not_there_grubenv.fail.sh} |  0
+ 6 files changed, 164 insertions(+), 43 deletions(-)
+ create mode 100644 shared/checks/oval/grub2_entries_reference_kernelopts.xml
+ rename shared/templates/grub2_bootloader_argument/tests/{arg_not_there.fail.sh => arg_not_there_grubenv.fail.sh} (100%)
+
+diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+new file mode 100644
+index 00000000000..1aec9fe64d2
+--- /dev/null
++++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+@@ -0,0 +1,25 @@
++<def-group>
++  <definition class="compliance" id="grub2_entries_reference_kernelopts" version="2">
++  {{{ oval_metadata(
++	  "Ensure that grubenv-defined kernel options are referenced in individual boot loader entries",
++	  title="Use $kernelopts in /boot/loader/entries/*.conf",
++	  affected_platforms=["multi_platform_all"]) }}}
++    <criteria operator="AND">
++        <criterion test_ref="test_grub2_entries_reference_kernelopts"
++        comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable." />
++    </criteria>
++  </definition>
++
++    <ind:textfilecontent54_test id="test_grub2_entries_reference_kernelopts"
++                                comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable."
++                                check="all" check_existence="all_exist" version="1">
++      <ind:object object_ref="object_grub2_entries_reference_kernelopts" />
++    </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
++    <ind:path>/boot/loader/entries/</ind:path>
++    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
++    <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>                                                                             
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index 58d4fab69fa..de970879c8f 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
++++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -4,7 +4,34 @@
+ # complexity = medium
+ # disruption = low
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
++{{#
++   See the OVAL template for more comments.
++   Product-specific categorization should be synced across all template content types
++-#}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_kernel_options_in_grubenv = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
++
++{{% if product in ["rhel9"] %}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel8"] %}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
++{{% set system_with_kernel_options_in_grubenv = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
++{{% set system_with_kernel_options_in_etc_default_grub = true %}}
++{{% endif -%}}
++
++{{% if system_with_kernel_options_in_etc_default_grub -%}}
+ - name: Check {{{ ARG_NAME }}} argument exists
+   command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+   failed_when: False
+@@ -27,7 +54,9 @@
+ - name: Update bootloader menu
+   command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ 
+-{{% else %}}
++{{%- endif %}}
++
++{{% if system_with_kernel_options_in_grubenv -%}}
+ 
+ - name: Get current kernel parameters
+   ansible.builtin.shell:
+@@ -50,4 +79,4 @@
+   when:
+     - kernelopts.rc != 0
+ 
+-{{% endif %}}
++{{%- endif %}}
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 631e686897e..817fd1fde23 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
++++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -1,6 +1,41 @@
+ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
++{{#
++   See the OVAL template for more comments.
++   Product-specific categorization should be synced across all template content types
++-#}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_kernel_options_in_grubenv = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
++
++{{% if product in ["rhel9"] %}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel8"] %}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
++{{% set system_with_kernel_options_in_grubenv = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
++{{% endif -%}}
++
++{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
++{{% set system_with_kernel_options_in_etc_default_grub = true %}}
++{{% endif -%}}
++
++{{% macro update_etc_default_grub(arg_name_value) %}}
++{{% if 'ubuntu' in product %}}
++update-grub
++{{% else %}}
++grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
++{{% endif %}}
++{{% endmacro -%}}
++
++{{% if system_with_kernel_options_in_etc_default_grub %}}
+ {{% if '/' in ARG_NAME %}}
+ {{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
+ {{% elif '/' in ARG_NAME_VALUE %}}
+@@ -14,14 +49,11 @@ else
+ 	# no {{{ ARG_NAME }}}=arg is present, append it
+ 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+ fi
+-
+-{{% if 'ubuntu' in product %}}
+-update-grub
+-{{% else %}}
+-# Correct the form of kernel command line for each installed kernel in the bootloader
+-grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ {{% endif %}}
+-{{% else %}}
++
++{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
++
++{{% if system_with_kernel_options_in_grubenv -%}}
+ # Correct grub2 kernelopts value using grub2-editenv
+ existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
+ if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 3ea8acb2910..24258a3bcbd 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
++++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -1,15 +1,53 @@
++{{#-
++  We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
++   - /boot/loader/entries/* may not exist don't exist
++   - If they exist, they can reference variables defined in grubenv, or they can contain literal args
++   - The grub cfg may either use those loader entries, or it can contain literal values as well
++   - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
++-#}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
++{{% set system_with_kernel_options_in_grubenv = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
++
++{{% if product in ["rhel9"] -%}}
++{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
++{{%- endif -%}}
++
++{{% if product in ["rhel8"] -%}}
++{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
++{{% set system_with_kernel_options_in_grubenv = true %}}
++{{%- endif -%}}
++
++{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product -%}}
++{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
++{{%- endif -%}}
++
++{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
++{{% set system_with_kernel_options_in_etc_default_grub = true %}}
++{{%- endif -%}}
++
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+     <criteria operator="AND">
+-      {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
+-        {{% if product in ['rhel9'] %}}
++      {{% if system_with_kernel_options_in_grubenv -%}}
++        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
++        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
++      {{%- endif %}}
++      {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
++        <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
++      {{%- endif %}}
++      {{% if system_with_expanded_kernel_options_in_loader_entries -%}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+                      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
+-        {{% else %}}
++      {{%- endif %}}
++      {{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+           comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
+-        {{% endif %}}
++      {{%- endif %}}
++      {{% if system_with_kernel_options_in_etc_default_grub -%}}
+         <criteria operator="OR">
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+           comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
+@@ -20,14 +58,11 @@
+             comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
+           </criteria>
+         </criteria>
+-      {{% else %}}
+-        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
+-      {{% endif %}}
++      {{%- endif %}}
+     </criteria>
+   </definition>
+ 
+-{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
++{{%- if system_with_kernel_options_in_etc_default_grub %}}
+   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+   comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
+   check="all" check_existence="all_exist" version="1">
+@@ -54,8 +89,25 @@
+     <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
++{{%- endif %}}
++
++{{%- if system_with_kernel_options_in_grubenv %}}
++  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
++  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
++  check="all" check_existence="all_exist" version="1">
++    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
++    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
++  </ind:textfilecontent54_test>
+ 
+-  {{% if product in ["rhel9"] %}}
++  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
++  version="1">
++    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
++    <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++{{%- endif %}}
++
++{{%- if system_with_expanded_kernel_options_in_loader_entries %}}
+     <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
+                                 comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
+                                 check="all" check_existence="all_exist" version="1">
+@@ -69,7 +121,9 @@
+     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-  {{% else %}}
++{{%- endif %}}
++
++{{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+   comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
+   check="all" check_existence="all_exist" version="1">
+@@ -87,26 +141,7 @@
+     {{% endif %}}
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-
+-  {{% endif %}}
+-
+-{{% else %}}
+-
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  comment="check forkernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
+-  check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
+-    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+-  </ind:textfilecontent54_test>
+-
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
+-    <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
+-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-  </ind:textfilecontent54_object>
+-
+-{{% endif %}}
++{{%- endif %}}
+ 
+   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+   version="1">
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+index a56e6d09235..a270be45952 100644
+--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
++++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+ 
+ # Removes argument from kernel command line in /etc/default/grub
+ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"'  '/etc/default/grub' ; then
+diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
+similarity index 100%
+rename from shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
+rename to shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
+
+From 0d10bf751d5e1d7f024cd7301f8b02b38c0e3b9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Wed, 9 Feb 2022 11:19:06 +0100
+Subject: [PATCH 2/5] Change the default product setting
+
+Assume that every product stores kernel opts in the /etc/default/grub
+---
+ shared/templates/grub2_bootloader_argument/ansible.template | 6 +-----
+ shared/templates/grub2_bootloader_argument/bash.template    | 6 +-----
+ shared/templates/grub2_bootloader_argument/oval.template    | 6 +-----
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index de970879c8f..46de9b465c2 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
++++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -11,7 +11,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] %}}
+@@ -27,10 +27,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{% endif -%}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{% endif -%}}
+-
+ {{% if system_with_kernel_options_in_etc_default_grub -%}}
+ - name: Check {{{ ARG_NAME }}} argument exists
+   command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index 817fd1fde23..b188d1e3689 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
++++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -7,7 +7,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] %}}
+@@ -23,10 +23,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{% endif -%}}
+ 
+-{{% if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{% endif -%}}
+-
+ {{% macro update_etc_default_grub(arg_name_value) %}}
+ {{% if 'ubuntu' in product %}}
+ update-grub
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 24258a3bcbd..88fa7b7a3ee 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
++++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -8,7 +8,7 @@
+ {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = false -%}}
++{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+ 
+ {{% if product in ["rhel9"] -%}}
+@@ -24,10 +24,6 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{%- endif -%}}
+ 
+-{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product %}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true %}}
+-{{%- endif -%}}
+-
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+
+From fac0aeb351d7acab1112482d11a0be73df662496 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 11 Feb 2022 14:55:53 +0100
+Subject: [PATCH 3/5] Improve the template further
+
+- Fix the $kernelopts regex - $ is not a word char.
+- Use grubby exclusively on RHEL systems and structure remediations differently than OVAL checks
+- Exclude the rescue.conf loader entry from checks, as it is not a boot entry for general use.
+---
+ .../grub2_entries_reference_kernelopts.xml    |  2 +-
+ .../ansible.template                          | 72 +------------------
+ .../grub2_bootloader_argument/bash.template   | 67 +++++------------
+ .../grub2_bootloader_argument/oval.template   |  7 +-
+ .../tests/invalid_rescue.pass.sh              |  6 ++
+ tests/test_rule_in_container.sh               |  2 +-
+ 6 files changed, 33 insertions(+), 123 deletions(-)
+ create mode 100644 shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+
+diff --git a/shared/checks/oval/grub2_entries_reference_kernelopts.xml b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+index 1aec9fe64d2..30f3965a037 100644
+--- a/shared/checks/oval/grub2_entries_reference_kernelopts.xml
++++ b/shared/checks/oval/grub2_entries_reference_kernelopts.xml
+@@ -19,7 +19,7 @@
+   <ind:textfilecontent54_object id="object_grub2_entries_reference_kernelopts" version="1">
+     <ind:path>/boot/loader/entries/</ind:path>
+     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+-    <ind:pattern operation="pattern match">^options .*\b\$kernelopts\b.*$</ind:pattern>
++    <ind:pattern operation="pattern match">^options(?:\s+.*)?\s+\$kernelopts\b.*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>                                                                             
+   </ind:textfilecontent54_object>
+ </def-group>
+diff --git a/shared/templates/grub2_bootloader_argument/ansible.template b/shared/templates/grub2_bootloader_argument/ansible.template
+index 46de9b465c2..db3b4430d4b 100644
+--- a/shared/templates/grub2_bootloader_argument/ansible.template
++++ b/shared/templates/grub2_bootloader_argument/ansible.template
+@@ -4,75 +4,5 @@
+ # complexity = medium
+ # disruption = low
+ 
+-{{#
+-   See the OVAL template for more comments.
+-   Product-specific categorization should be synced across all template content types
+--#}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
+-
+-{{% if product in ["rhel9"] %}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel8"] %}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+-{{% set system_with_kernel_options_in_grubenv = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+-{{% endif -%}}
+-
+-{{% if system_with_kernel_options_in_etc_default_grub -%}}
+-- name: Check {{{ ARG_NAME }}} argument exists
+-  command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
+-  failed_when: False
+-  register: argcheck
+-
+-- name: Replace existing {{{ ARG_NAME }}} argument
+-  replace:
+-      path: /etc/default/grub
+-      regexp: '{{{ ARG_NAME }}}=\w+'
+-      replace: '{{{ ARG_NAME_VALUE }}}'
+-  when: argcheck.rc == 0
+-
+-- name: Add {{{ ARG_NAME }}} argument
+-  replace:
+-      path: /etc/default/grub
+-      regexp: '(GRUB_CMDLINE_LINUX=.*)"'
+-      replace: '\1 {{{ ARG_NAME_VALUE }}}"'
+-  when: argcheck.rc != 0
+-
+-- name: Update bootloader menu
++- name: Update grub defaults and the bootloader menu
+   command: /sbin/grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+-
+-{{%- endif %}}
+-
+-{{% if system_with_kernel_options_in_grubenv -%}}
+-
+-- name: Get current kernel parameters
+-  ansible.builtin.shell:
+-    cmd: '/usr/bin/grub2-editenv - list | grep "kernelopts="'
+-  register: kernelopts
+-  ignore_errors: yes
+-  changed_when: False
+-
+-- name: Update the bootloader menu
+-  command: /usr/bin/grub2-editenv - set "{{ item }} {{{ ARG_NAME_VALUE }}}"
+-  with_items: "{{ kernelopts.stdout_lines | select('match', '^kernelopts.*') | list }}"
+-  when:
+-    - kernelopts.rc == 0
+-    - kernelopts.stdout_lines is defined
+-    - kernelopts.stdout_lines | length > 0
+-    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?{{{ ARG_NAME_VALUE }}}(?:\s.*)?$', multiline=True) is none
+-
+-- name: Update the bootloader menu when there are no entries previously set
+-  command: /usr/bin/grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
+-  when:
+-    - kernelopts.rc != 0
+-
+-{{%- endif %}}
+diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
+index b188d1e3689..5f97efd498f 100644
+--- a/shared/templates/grub2_bootloader_argument/bash.template
++++ b/shared/templates/grub2_bootloader_argument/bash.template
+@@ -4,59 +4,28 @@
+    Product-specific categorization should be synced across all template content types
+ -#}}
+ 
+-{{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
+-{{% set system_with_kernel_options_in_grubenv = false -%}}
+-{{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
++{{% set grub_helper_executable = "grubby" -%}}
++{{% set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ ARG_NAME_VALUE] -%}}
+ 
+-{{% if product in ["rhel9"] %}}
+-{{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel8"] %}}
+-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
+-{{% set system_with_kernel_options_in_grubenv = true %}}
+-{{% endif -%}}
+-
+-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
+-{{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+-{{% endif -%}}
+-
+-{{% macro update_etc_default_grub(arg_name_value) %}}
+-{{% if 'ubuntu' in product %}}
+-update-grub
+-{{% else %}}
+-grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
+-{{% endif %}}
+-{{% endmacro -%}}
+-
+-{{% if system_with_kernel_options_in_etc_default_grub %}}
+-{{% if '/' in ARG_NAME %}}
+-{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
+-{{% elif '/' in ARG_NAME_VALUE %}}
+-{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
+-{{% endif %}}
++{{%- macro update_etc_default_grub_manually() -%}}
+ # Correct the form of default kernel command line in GRUB
+ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
+-	# modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
+-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
++       # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
++       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
+ else
+-	# no {{{ ARG_NAME }}}=arg is present, append it
+-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
++       # no {{{ ARG_NAME }}}=arg is present, append it
++       sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+ fi
+-{{% endif %}}
++{{%- endmacro %}}
++
++{{% if 'ubuntu' in product %}}
++{{{ update_etc_default_grub_manually() }}}
++{{% set grub_helper_executable = "update-grub" -%}}
++{{% endif -%}}
+ 
+-{{{ update_etc_default_grub(ARG_NAME_VALUE) }}}
++{{% if product in ["rhel8", "ol8"] %}}
++{{# Suppress the None output of append -#}}
++{{{ grub_helper_args.append("--env=/boot/grub2/grubenv") or "" -}}}
++{{% endif -%}}
+ 
+-{{% if system_with_kernel_options_in_grubenv -%}}
+-# Correct grub2 kernelopts value using grub2-editenv
+-existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
+-if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
+-  if test -n "$existing_kernelopts"; then
+-    grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
+-  else
+-    grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
+-  fi
+-fi
+-{{% endif %}}
++{{{ grub_helper_executable }}} {{{ " ".join(grub_helper_args) }}}
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 88fa7b7a3ee..6981cc14045 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
++++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -1,6 +1,6 @@
+ {{#-
+   We set defaults to "off", and products should enable relevant ones depending on how the product configures grub.
+-   - /boot/loader/entries/* may not exist don't exist
++   - /boot/loader/entries/* may not exist.
+    - If they exist, they can reference variables defined in grubenv, or they can contain literal args
+    - The grub cfg may either use those loader entries, or it can contain literal values as well
+    - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
+@@ -116,7 +116,12 @@
+     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++    <filter action="exclude">state_grub2_rescue_entry_for_{{{ _RULE_ID }}}</filter>
+   </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
++    <ind:filename>rescue.conf</ind:filename>
++  </ind:textfilecontent54_state>
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+diff --git a/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+new file mode 100644
+index 00000000000..ee6e2c67f34
+--- /dev/null
++++ b/shared/templates/grub2_bootloader_argument/tests/invalid_rescue.pass.sh
+@@ -0,0 +1,6 @@
++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
++# packages = grub2,grubby
++
++{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
++
++echo "I am an invalid boot entry, but nobody should care, because I am rescue" > /boot/loader/entries/trololol-rescue.conf
+diff --git a/tests/test_rule_in_container.sh b/tests/test_rule_in_container.sh
+index 395fc4e856c..a8691ca7463 100755
+--- a/tests/test_rule_in_container.sh
++++ b/tests/test_rule_in_container.sh
+@@ -221,7 +221,7 @@ additional_args=()
+ test "$_arg_dontclean" = on && additional_args+=(--dontclean)
+ 
+ # Don't act on the default value.
+-test -n "$_arg_scenarios" && additional_args+=(--scenario "'$_arg_scenarios'")
++test -n "$_arg_scenarios" && additional_args+=(--scenario "$_arg_scenarios")
+ 
+ test -n "$_arg_datastream" && additional_args+=(--datastream "$_arg_datastream")
+ 
+
+From 8dda6030dea885c7c7e7e8f1024f5f2edf5bc36c Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Mon, 14 Feb 2022 13:45:09 +0100
+Subject: [PATCH 4/5] Add support for checks of both BIOS/UEFI systems
+
+---
+ .../grub2_bootloader_argument/oval.template   | 57 +++++++++++++++----
+ 1 file changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
+index 6981cc14045..71367465663 100644
+--- a/shared/templates/grub2_bootloader_argument/oval.template
++++ b/shared/templates/grub2_bootloader_argument/oval.template
+@@ -10,6 +10,7 @@
+ {{% set system_with_kernel_options_in_grubenv = false -%}}
+ {{% set system_with_kernel_options_in_etc_default_grub = true -%}}
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
++{{% set system_with_bios_and_uefi_support = false -%}}
+ 
+ {{% if product in ["rhel9"] -%}}
+ {{% set system_with_expanded_kernel_options_in_loader_entries = true %}}
+@@ -24,13 +25,25 @@
+ {{% set system_with_expanded_kernel_options_in_grub_cfg = true %}}
+ {{%- endif -%}}
+ 
++{{% if grub2_uefi_boot_path and grub2_uefi_boot_path != grub2_boot_path -%}}
++{{% set system_with_bios_and_uefi_support = true %}}
++{{%- endif -%}}
++
+ <def-group>
+   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
+     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+     <criteria operator="AND">
+       {{% if system_with_kernel_options_in_grubenv -%}}
++      {{% if system_with_bios_and_uefi_support -%}}
++      <criteria operator="OR">
++      {{%- endif %}}
+         <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+         comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
++      {{% if system_with_bios_and_uefi_support -%}}
++        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env_uefi"
++        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_uefi_boot_path }}}/grubenv" />
++      </criteria>
++      {{%- endif %}}
+       {{%- endif %}}
+       {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
+         <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
+@@ -40,8 +53,16 @@
+                      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
+       {{%- endif %}}
+       {{% if system_with_expanded_kernel_options_in_grub_cfg -%}}
++          {{% if system_with_bios_and_uefi_support -%}}
++          <criteria operator="OR">
++          {{%- endif %}}
+           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+           comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
++          {{% if system_with_bios_and_uefi_support -%}}
++          <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg_uefi"
++          comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_uefi_boot_path }}}/grub.cfg for all kernels" />
++          </criteria>
++          {{%- endif %}}
+       {{%- endif %}}
+       {{% if system_with_kernel_options_in_etc_default_grub -%}}
+         <criteria operator="OR">
+@@ -88,19 +109,26 @@
+ {{%- endif %}}
+ 
+ {{%- if system_with_kernel_options_in_grubenv %}}
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+-  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grubenv for all kernels"
++{{%- macro test_and_object_for_kernel_options_grub_env(base_name, path) %}}
++  <ind:textfilecontent54_test id="test_{{{ base_name }}}"
++  comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
+   check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
++    <ind:object object_ref="object_{{{ base_name }}}" />
+     <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
++  <ind:textfilecontent54_object id="object_{{{ base_name }}}"
+   version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grubenv</ind:filepath>
++    <ind:filepath>{{{ path }}}</ind:filepath>
+     <ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
++{{%- endmacro %}}
++
++{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env", grub2_boot_path ~ "/grubenv") }}}
++{{% if system_with_bios_and_uefi_support -%}}
++{{{ test_and_object_for_kernel_options_grub_env("grub2_" ~ SANITIZED_ARG_NAME ~ "_argument_grub_env_uefi", grub2_uefi_boot_path ~ "/grubenv") }}}
++{{%- endif %}}
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_loader_entries %}}
+@@ -120,21 +148,22 @@
+   </ind:textfilecontent54_object>
+ 
+   <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
+-    <ind:filename>rescue.conf</ind:filename>
++    <ind:filename operation="pattern match">.*rescue.conf$</ind:filename>
+   </ind:textfilecontent54_state>
+ {{%- endif %}}
+ 
+ {{%- if system_with_expanded_kernel_options_in_grub_cfg %}}
+-  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
+-  comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
++{{%- macro test_and_object_for_kernel_options_grub_cfg(base_name, path) %}}
++  <ind:textfilecontent54_test id="test_{{{ base_name }}}"
++  comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
+   check="all" check_existence="all_exist" version="1">
+-    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg" />
++    <ind:object object_ref="object_{{{ base_name }}}" />
+     <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+   </ind:textfilecontent54_test>
+ 
+-  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
++  <ind:textfilecontent54_object id="object_{{{ base_name }}}"
+   version="1">
+-    <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
++    <ind:filepath>{{{ path }}}</ind:filepath>
+     {{% if product in ["rhel7"] or 'ubuntu' in product %}}
+       <ind:pattern operation="pattern match">^.*/vmlinuz.*(root=.*)$</ind:pattern>
+     {{% else %}}
+@@ -142,6 +171,12 @@
+     {{% endif %}}
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
++{{%- endmacro %}}
++
++{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg", grub2_boot_path ~ "/grub.cfg") }}}
++{{% if system_with_bios_and_uefi_support -%}}
++{{{ test_and_object_for_kernel_options_grub_cfg("grub2_" + SANITIZED_ARG_NAME + "_argument_grub_cfg_uefi", grub2_uefi_boot_path ~ "/grub.cfg") }}}
++{{%- endif %}}
+ {{%- endif %}}
+ 
+   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
+
+From df44b5d7017328d05c0671397edcfed019a2a448 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 14 Feb 2022 14:49:34 +0100
+Subject: [PATCH 5/5] Correct test scenario metadata
+
+- Grubenv doesn't relate to anything else than RHEL8
+- The grubby remediation has different behavior in corner-cases
+  that are technically unsupported, so the corresponding test scenario has been dropped.
+---
+ .../grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh      | 1 +
+ .../auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+index 5af2acc317e..956c8ac79fd 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+ 
+ # platform = Red Hat Enterprise Linux 8
++# remediation = none
+ 
+ # Removes audit argument from kernel command line in /boot/grub2/grubenv
+ file="/boot/grub2/grubenv"
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
+index 0ec9a1d6e38..9823b08dff9 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/correct_grubenv.pass.sh
+@@ -1,4 +1,4 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
++# platform = Red Hat Enterprise Linux 8
+ 
+ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
diff --git a/scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch b/scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
new file mode 100644
index 0000000..c5bc6f7
--- /dev/null
+++ b/scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
@@ -0,0 +1,126 @@
+From 622558873703704bd97fde1874a9a782d4cb8b0e Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 17:51:50 +0100
+Subject: [PATCH] Introduce CPE for aarch64 and make package_rear_installed n/a
+ aarch64.
+
+This rule is not applicable for RHEL9 only.
+---
+ .../package_rear_installed/rule.yml           |  4 +++
+ shared/applicability/arch.yml                 | 12 +++++++
+ ...proc_sys_kernel_osrelease_arch_aarch64.xml | 33 +++++++++++++++++++
+ ..._sys_kernel_osrelease_arch_not_aarch64.xml | 16 +++++++++
+ ssg/constants.py                              |  2 ++
+ 5 files changed, 67 insertions(+)
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+
+diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+index 6e3c11e5749..efb591654a9 100644
+--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
++++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+@@ -25,6 +25,10 @@ ocil: '{{{ ocil_package(package="rear") }}}'
+ # The package is not available for s309x on RHEL<8.5
+ # platform: not_s390x_arch
+ 
++{{%- if product == "rhel9" %}}
++platform: not_aarch64_arch
++{{%- endif %}}
++
+ template:
+     name: package_installed
+     vars:
+diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
+index d2cbd102310..9ac05317a95 100644
+--- a/shared/applicability/arch.yml
++++ b/shared/applicability/arch.yml
+@@ -12,3 +12,15 @@ cpes:
+       check_id: proc_sys_kernel_osrelease_arch_s390x
+       bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
+ 
++  - not_aarch64_arch:
++      name: "cpe:/a:not_aarch64_arch"
++      title: "System architecture is not AARCH64"
++      check_id: proc_sys_kernel_osrelease_arch_not_aarch64
++      bash_conditional: "! grep -q aarch64 /proc/sys/kernel/osrelease"
++
++  - aarch64_arch:
++      name: "cpe:/a:aarch64_arch"
++      title: "System architecture is AARCH64"
++      check_id: proc_sys_kernel_osrelease_arch_aarch64
++      bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
++
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+new file mode 100644
+index 00000000000..3d54f81e6d4
+--- /dev/null
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
+@@ -0,0 +1,33 @@
++<def-group>
++  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
++  version="1">
++    <metadata>
++      <title>Test that the architecture is aarch64</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
++    </metadata>
++    <criteria>
++      <criterion comment="Architecture is aarch64"
++      test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
++    </criteria>
++  </definition>
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++      comment="proc_sys_kernel is for aarch64 architecture"
++      id="test_proc_sys_kernel_osrelease_arch_aarch64"
++  version="1">
++    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
++    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
++    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
++    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
++    <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
++  </ind:textfilecontent54_state>
++</def-group>
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+new file mode 100644
+index 00000000000..3fce66ee00a
+--- /dev/null
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_aarch64.xml
+@@ -0,0 +1,16 @@
++<def-group>
++  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_not_aarch64"
++  version="1">
++    <metadata>
++      <title>Test for different architecture than aarch64</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</description>
++    </metadata>
++    <criteria>
++      <extend_definition comment="Architecture is not aarch64"
++      definition_ref="proc_sys_kernel_osrelease_arch_aarch64" negate="true"/>
++    </criteria>
++  </definition>
++</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 64d7d36c989..92cc2f8de34 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -424,6 +424,8 @@
+   "non-uefi": None,
+   "not_s390x_arch": None,
+   "s390x_arch": None,
++  "not_aarch64_arch": None,
++  "aarch64_arch": None,
+   "ovirt": None,
+   "no_ovirt": None,
+ }
diff --git a/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch b/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
new file mode 100644
index 0000000..c64e503
--- /dev/null
+++ b/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
@@ -0,0 +1,163 @@
+From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 14 Feb 2022 15:54:37 +0100
+Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
+
+This configuration must appear at only one place so it doesn't get
+overriden by a different file that can loaded on a different order and
+the intended configuration is replaced by non-compliant value.
+---
+ .../ansible/shared.yml                        | 36 ++++++++++++++++++
+ .../bash/shared.sh                            | 38 +++++++++++++++++++
+ .../oval/shared.xml                           |  4 +-
+ .../sudo_require_reauthentication/rule.yml    | 14 +------
+ .../tests/multiple_correct_value.fail.sh      | 10 +++++
+ 5 files changed, 87 insertions(+), 15 deletions(-)
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+new file mode 100644
+index 00000000000..b0c67a69af9
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+@@ -0,0 +1,36 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
++- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
++  find:
++    path: "/etc/sudoers.d"
++    patterns: "*"
++    contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
++  register: sudoers_d_defaults_timestamp_timeout
++
++- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
++  lineinfile:
++    path: "{{ item.path }}"
++    regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
++    state: absent
++  with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
++
++- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
++  lineinfile:
++    path: /etc/sudoers
++    regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
++    line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
++    validate: /usr/sbin/visudo -cf %s
++    backrefs: yes
++  register: edit_sudoers_timestamp_timeout_option
++
++- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
++  lineinfile: # noqa 503
++    path: /etc/sudoers
++    line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
++    validate: /usr/sbin/visudo -cf %s
++  when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+new file mode 100644
+index 00000000000..0b623ed4a49
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+@@ -0,0 +1,38 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++
++{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
++
++if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
++    find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
++fi
++
++if /usr/sbin/visudo -qcf /etc/sudoers; then
++    cp /etc/sudoers /etc/sudoers.bak
++    if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
++        # sudoers file doesn't define Option timestamp_timeout
++        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
++    else
++        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
++        if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
++            
++            sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
++        fi
++    fi
++    
++    # Check validity of sudoers and cleanup bak
++    if /usr/sbin/visudo -qcf /etc/sudoers; then
++        rm -f /etc/sudoers.bak
++    else
++        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
++        mv /etc/sudoers.bak /etc/sudoers
++        false
++    fi
++else
++    echo "Skipping remediation, /etc/sudoers failed to validate"
++    false
++fi
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+index 8f404ca6065..dfc319b6f1f 100644
+--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+@@ -6,13 +6,13 @@
+     </criteria>
+   </definition>
+ 
+-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
++  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
+     <ind:object object_ref="obj_sudo_timestamp_timeout"/>
+     <ind:state state_ref="state_sudo_timestamp_timeout" />
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
+-    <ind:filepath>/etc/sudoers</ind:filepath>
++    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+index 42c6e28f9e6..eebb96678f1 100644
+--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+@@ -50,16 +50,4 @@ ocil: |-
+     <pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
+     The output should be:
+     <pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
+-
+-template:
+-    name: sudo_defaults_option
+-    vars:
+-        option: timestamp_timeout
+-        variable_name: "var_sudo_timestamp_timeout"
+-        # optional minus char added so remediation can detect properly if item is already configured
+-        option_regex_suffix: '=[-]?\w+\b'
+-    backends:
+-        # Template is not able to accomodate this particular check.
+-        # It needs to check for an integer greater than or equal to zero
+-        oval: "off"
+-        
++    If results are returned from more than one file location, this is a finding.
+diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+new file mode 100644
+index 00000000000..a258d6632b5
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++
++
++if grep -q 'timestamp_timeout' /etc/sudoers; then
++	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
++else
++	echo "Defaults timestamp_timeout=3" >> /etc/sudoers
++fi
++
++echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 4a0dfc1..21a8329 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.60
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -50,6 +50,13 @@ Patch32:	scap-security-guide-0.1.61-ospp-boot-parametersb-PR_8092.patch
 Patch33:	scap-security-guide-0.1.61-ospp-audit.conf-rules-PR_8188.patch
 Patch34:	scap-security-guide-0.1.61-distributed-sshd-rekeylimit-PR_8148.patch
 Patch35:	scap-security-guide-0.1.61-supported-rhel9-PR_8202.patch
+Patch36:	scap-security-guide-0.1.61-chrony_maxpoll-PR_8187.patch
+Patch37:	scap-security-guide-0.1.61-add_missing_srgs-PR_8218.patch
+Patch38:	scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
+Patch39:	scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
+Patch40:	scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
+Patch41:	scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
+Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -136,6 +143,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
+- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
+- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
+- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
+- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
+- Update GRUB2 rule descriptions (RHBZ#2020623)
+- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
+
 * Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
 - Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)