import scap-security-guide-0.1.63-5.el8

SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch

@@ -0,0 +1,29 @@
+From 172258291cea7100e89002203f3d9ae1bc468cd3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 21 Sep 2022 17:22:29 +0200
+Subject: [PATCH] add warning to sysctl_net_ipv4_conf_all_forwarding
+
+---
+ .../sysctl_net_ipv4_conf_all_forwarding/rule.yml         | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
+index 7b0066f7c29..20a778cdf9e 100644
+--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
+@@ -36,6 +36,15 @@ srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless th
+ 
+ platform: machine
+ 
++
++warnings:
++    - general: |-
++        There might be cases when certain applications can systematically override this option.
++        One such case is {{{ weblink("https://libvirt.org/", "Libvirt") }}}; a toolkit for managing of virtualization platforms.
++        By default, Libvirt requires IP forwarding to be enabled to facilitate
++        network communication between the virtualization host and guest
++        machines. It enables IP forwarding after every reboot.
++
+ template:
+     name: sysctl
+     vars:

SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch

@@ -0,0 +1,26 @@
+From bd2128cdc6a657306b8c9644481346f0ab4411f6 Mon Sep 17 00:00:00 2001
+From: Edgar Aguilar <edgar.aguilar@oracle.com>
+Date: Mon, 5 Sep 2022 11:07:33 -0500
+Subject: [PATCH] Update OVAL in openssh rule
+
+Update OVAL in harden_sshd_ciphers_opensshserver_conf_crypto_policy to
+align it with generated conf by remediation
+
+Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
+---
+ .../oval/shared.xml                                             | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+index 53919eaae7f..21d4e716dbc 100644
+--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+@@ -16,7 +16,7 @@
+ 
+   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+     <ind:filepath>{{{ PATH }}}</ind:filepath>
+-    <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
++    <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=[^\s']+).*$</ind:pattern>
+     <ind:instance operation="equals" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 

SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch

@@ -0,0 +1,472 @@
+From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Mon, 14 Nov 2022 15:46:12 +0100
+Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny
+
+Rules are stored in different places depending on the system version.
+These changes are now explicit in ocil and fixtext. In RHEL8.6 it was
+introduced the rules.d feature and together the fagenrules script which
+reads and concatenate the rules from rules.d to finally save the result
+in the /etc/fapolicyd/compiled.rules file.
+---
+ .../services/fapolicyd/fapolicy_default_deny/rule.yml  | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+index 5b9a1649571..eeecd34e69a 100644
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+@@ -39,10 +39,14 @@ ocil: |-
+ 
+     permissive = 0
+ 
+-    Check that fapolicyd employs a deny-all policy on system mounts with the following command:
++    Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ 
++    For RHEL 8.5 systems and older:
+     $ sudo tail /etc/fapolicyd/fapolicyd.rules
+ 
++    For RHEL 8.6 systems and newer:
++    $ sudo tail /etc/fapolicyd/compiled.rules
++
+     allow exe=/usr/bin/python3.7 : ftype=text/x-python
+     deny_audit perm=any pattern=ld_so : all
+     deny perm=any all : all
+@@ -54,8 +58,12 @@ fixtext: |-
+ 
+     permissive = 1
+ 
++    For RHEL 8.5 systems and older:
+     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
+ 
++    For RHEL 8.6 systems and newer:
++    Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
++
+     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
+ 
+     permissive = 0
+
+From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Thu, 17 Nov 2022 09:40:20 +0100
+Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny
+
+Firsly the existing checks were aligned to the style guides and the
+comments were reviewed. The regex used to identify the expected policy
+was also fixed since it wasn't ensuring the deny policy if defined in a
+wrong position. Finally, it was extended the assessment to consider the
+/etc/fapolicyd/compiled.rules file.
+---
+ .../fapolicy_default_deny/oval/shared.xml     | 64 +++++++++++++------
+ 1 file changed, 43 insertions(+), 21 deletions(-)
+
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+index 9989459ad22..40bdcf870ca 100644
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+@@ -4,36 +4,58 @@
+         oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
+         }}}
+         <criteria>
+-        <criterion comment="fapolicyd employs a deny-all policy"
+-        test_ref="test_fapolicy_default_deny_policy" />
+-        <criterion comment="fapolicyd is in enforcement mode"
+-        test_ref="test_fapolicy_default_deny_enforcement" />
++            <criteria operator="OR">
++                <criterion comment="fapolicyd employs a deny-all policy in compiled.rules file"
++                    test_ref="test_fapolicy_default_deny_policy_with_rulesd"/>
++                <criterion comment="fapolicyd employs a deny-all policy fapolicyd.rules file"
++                    test_ref="test_fapolicy_default_deny_policy_without_rulesd"/>
++            </criteria>
++            <criterion comment="fapolicyd is in enforcement mode"
++                test_ref="test_fapolicy_default_deny_enforcement"/>
+         </criteria>
+     </definition>
+ 
+-    <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
+-    comment="fapolicyd employs a deny-all policy"
+-    id="test_fapolicy_default_deny_policy" version="1">
+-        <ind:object object_ref="obj_fapolicy_default_deny_policy" />
++    <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_with_rulesd" version="1"
++        check_existence="only_one_exists" check="all"
++        comment="fapolicyd employs a deny-all policy in compiled.rules file">
++        <ind:object object_ref="object_fapolicy_default_deny_policy_compiled_rules"/>
+     </ind:textfilecontent54_test>
+-    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
+-        <ind:behaviors multiline="false" />
++
++    <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_compiled_rules"
++        version="1">
++        <ind:filepath>/etc/fapolicyd/compiled.rules</ind:filepath>
++        <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
++        <ind:instance datatype="int">1</ind:instance>
++    </ind:textfilecontent54_object>
++
++    <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_without_rulesd" version="2"
++        check_existence="only_one_exists" check="all"
++        comment="fapolicyd employs a deny-all policy in fapolicyd.rules file">
++        <ind:object object_ref="object_fapolicy_default_deny_policy_fapolicyd_rules"/>
++    </ind:textfilecontent54_test>
++
++    <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_fapolicyd_rules"
++        version="2">
+         <ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
+-        <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
++        <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
+         <ind:instance datatype="int">1</ind:instance>
+     </ind:textfilecontent54_object>
+-    <ind:textfilecontent54_test check_existence="all_exist" check="all"
+-    comment="fapolicyd is in enforcement mode"
+-    id="test_fapolicy_default_deny_enforcement" version="1">
+-        <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
+-        <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
++
++    <ind:textfilecontent54_test id="test_fapolicy_default_deny_enforcement" version="2"
++        check_existence="all_exist" check="all"
++        comment="permissive mode is disabled in fapolicyd settings">
++        <ind:object object_ref="object_fapolicy_default_deny_permissive_mode" />
++        <ind:state state_ref="state_fapolicy_default_deny_permissive_mode_off" />
+     </ind:textfilecontent54_test>
+-    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
++
++    <ind:textfilecontent54_object id="object_fapolicy_default_deny_permissive_mode" version="2">
+         <ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
+         <ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
+-        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++        <ind:instance datatype="int" operation="equals">1</ind:instance>
+     </ind:textfilecontent54_object>
+-    <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
+-    <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
+-  </ind:textfilecontent54_state>
++
++    <ind:textfilecontent54_state id="state_fapolicy_default_deny_permissive_mode_off" version="2"
++        comment="permissive mode value is set to 0 (off) in fapolicyd settings file">
++        <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
++    </ind:textfilecontent54_state>
+ </def-group>
+
+From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Thu, 17 Nov 2022 10:32:51 +0100
+Subject: [PATCH 3/5] Refactored the test scenario scripts
+
+The scripts were invalid and wrongly reporting results. The main issue
+was in scripts which intended to create two lines in a file but were
+overwriting the entire file in the second command instead of append the
+second line. The scripts were also refactored to consider systems using
+the rules.d feature and also older systems which doesn't have the
+rules.d feature. Another issue was that "no_quotes" was false by default
+in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect
+quotes and this was causing inconsistency in the file, so the no_quotes
+was set to true when calling the macro from test scenarios. Finally the
+scripts names were better aligned to their respective scenarios.
+---
+ .../tests/allow_policy.fail.sh                 | 18 ++++++++++++++++++
+ .../tests/commented_value.fail.sh              | 12 ------------
+ .../tests/correct_value.pass.sh                | 12 ------------
+ .../tests/deny_not_last.fail.sh                | 12 ------------
+ .../tests/deny_policy.pass.sh                  | 18 ++++++++++++++++++
+ .../tests/deny_policy_but_permissive.fail.sh   | 16 ++++++++++++++++
+ .../tests/deny_policy_commented.fail.sh        | 18 ++++++++++++++++++
+ .../tests/deny_policy_not_ensured.fail.sh      | 18 ++++++++++++++++++
+ .../tests/fapolicy_permissive.fail.sh          |  5 -----
+ .../tests/wrong_value.fail.sh                  | 11 -----------
+ 10 files changed, 88 insertions(+), 52 deletions(-)
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
+ delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+ delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+ delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
+ delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+ delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
+new file mode 100644
+index 00000000000..23d7e699056
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
+@@ -0,0 +1,18 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
++
++if [ -f /etc/fapolicyd/compiled.rules ]; then
++    active_rules_file="/etc/fapolicyd/compiled.rules"
++else
++    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
++fi
++
++truncate -s 0 $active_rules_file
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
++echo "allow perm=any all : all" >> $active_rules_file
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+deleted file mode 100644
+index a8df835af76..00000000000
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
++++ /dev/null
+@@ -1,12 +0,0 @@
+-#!/bin/bash
+-# packages = fapolicyd
+-# remediation = none
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+-
+-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+-
+-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+deleted file mode 100644
+index c88406b0be4..00000000000
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
++++ /dev/null
+@@ -1,12 +0,0 @@
+-#!/bin/bash
+-# packages = fapolicyd
+-# remediation = none
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+-
+-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+-
+-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+deleted file mode 100644
+index 59b16308563..00000000000
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
++++ /dev/null
+@@ -1,12 +0,0 @@
+-#!/bin/bash
+-# packages = fapolicyd
+-# remediation = none
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+-
+-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+-
+-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
+-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
+new file mode 100644
+index 00000000000..f3ff83ca602
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
+@@ -0,0 +1,18 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
++
++if [ -f /etc/fapolicyd/compiled.rules ]; then
++    active_rules_file="/etc/fapolicyd/compiled.rules"
++else
++    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
++fi
++
++truncate -s 0 $active_rules_file
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
++echo "deny perm=any all : all" >> $active_rules_file
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
+new file mode 100644
+index 00000000000..caa401ca174
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
+@@ -0,0 +1,16 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
++
++if [ -f /etc/fapolicyd/compiled.rules ]; then
++    active_rules_file="/etc/fapolicyd/compiled.rules"
++else
++    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
++fi
++
++truncate -s 0 $active_rules_file
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
++echo "deny perm=any all : all" >> $active_rules_file
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
+new file mode 100644
+index 00000000000..4e4bc430cec
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
+@@ -0,0 +1,18 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
++
++if [ -f /etc/fapolicyd/compiled.rules ]; then
++    active_rules_file="/etc/fapolicyd/compiled.rules"
++else
++    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
++fi
++
++truncate -s 0 $active_rules_file
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
++echo "# deny perm=any all : all" >> $active_rules_file
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
+new file mode 100644
+index 00000000000..b52e5446afc
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
+@@ -0,0 +1,18 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
++
++if [ -f /etc/fapolicyd/compiled.rules ]; then
++    active_rules_file="/etc/fapolicyd/compiled.rules"
++else
++    active_rules_file="/etc/fapolicyd/fapolicyd.rules"
++fi
++
++truncate -s 0 $active_rules_file
++
++echo "deny perm=any all : all" >> $active_rules_file
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+deleted file mode 100644
+index 50756a0e7a3..00000000000
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
++++ /dev/null
+@@ -1,5 +0,0 @@
+-#!/bin/bash
+-# packages = fapolicyd
+-# remediation = none
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+deleted file mode 100644
+index da3e33f57fd..00000000000
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
++++ /dev/null
+@@ -1,11 +0,0 @@
+-#!/bin/bash
+-# packages = fapolicyd
+-# remediation = none
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+-
+-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+-
+-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+-
+-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+
+From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Thu, 17 Nov 2022 11:02:34 +0100
+Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces
+
+Once the test scenario scripts were fixed, an issue was revelead in
+bash_shell_file_set macro. The macro was not considering config files
+which have spaces before and after the separator carachter. Since the
+separator_regex parameter already expects regex format, it was easily
+extended.
+---
+ shared/macros/10-bash.jinja | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
+index ae0f0e5e6ad..0e369314645 100644
+--- a/shared/macros/10-bash.jinja
++++ b/shared/macros/10-bash.jinja
+@@ -122,13 +122,13 @@ fi
+ {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
+ {{% if no_quotes -%}}
+   {{% if "$" in value %}}
+-  {{% set value = '%s' % value.replace("$", "\\$") %}}
++    {{% set value = '%s' % value.replace("$", "\\$") %}}
+   {{% endif %}}
+ {{%- else -%}}
+   {{% if "$" in value %}}
+-  {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
++    {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+   {{% else %}}
+-  {{% set value = "'%s'" % value %}}
++    {{% set value = "'%s'" % value %}}
+   {{% endif %}}
+ {{%- endif -%}}
+ {{{ set_config_file(
+@@ -140,7 +140,7 @@ fi
+         insert_before="^#\s*" ~ parameter,
+         insensitive=false,
+         separator="=",
+-        separator_regex="=",
++        separator_regex="\s*=\s*",
+         prefix_regex="^\s*")
+     }}}
+ {{%- endmacro -%}}
+
+From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Fri, 18 Nov 2022 09:58:47 +0100
+Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text
+
+The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor
+version text.
+---
+ .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml   | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+index eeecd34e69a..220801bc471 100644
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+@@ -41,10 +41,12 @@ ocil: |-
+ 
+     Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ 
++    {{%- if product in ["rhel8"] %}}
+     For RHEL 8.5 systems and older:
+     $ sudo tail /etc/fapolicyd/fapolicyd.rules
+ 
+     For RHEL 8.6 systems and newer:
++    {{%- endif %}}
+     $ sudo tail /etc/fapolicyd/compiled.rules
+ 
+     allow exe=/usr/bin/python3.7 : ftype=text/x-python
+@@ -58,10 +60,12 @@ fixtext: |-
+ 
+     permissive = 1
+ 
++    {{%- if product in ["rhel8"] %}}
+     For RHEL 8.5 systems and older:
+     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
+ 
+     For RHEL 8.6 systems and newer:
++    {{%- endif %}}
+     Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
+ 
+     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.

SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch

@@ -0,0 +1,41 @@
+From 7e2c7cc70acfdd71c64a8d9c0b6ea365a65ac1d5 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Nov 2022 14:01:17 +0100
+Subject: [PATCH 2/2] accounts_password: Add tests for conflicting and
+ duplicate values
+
+Add tests for conflicting and duplicate values
+---
+ .../accounts_password/tests/conflicting_values.fail.sh    | 8 ++++++++
+ .../accounts_password/tests/duplicated_values.pass.sh     | 7 +++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 shared/templates/accounts_password/tests/conflicting_values.fail.sh
+ create mode 100644 shared/templates/accounts_password/tests/duplicated_values.pass.sh
+
+diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
+new file mode 100644
+index 00000000000..3517ff43083
+--- /dev/null
++++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
++
++truncate -s 0 /etc/security/pwquality.conf
++
++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
++
++echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
+diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
+new file mode 100644
+index 00000000000..e7b7f957d3d
+--- /dev/null
++++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
++
++truncate -s 0 /etc/security/pwquality.conf
++
++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
++echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf

SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch

@@ -0,0 +1,185 @@
+From 38edb566365afd64632ad12d532ccbafcb7b422b Mon Sep 17 00:00:00 2001
+From: Edgar Aguilar <edgar.aguilar@oracle.com>
+Date: Thu, 28 Jul 2022 13:51:27 -0500
+Subject: [PATCH] Add OVAL to fapolicy_default_deny
+
+Add the rule fapolicy_default_deny to OL8 STIG profile, which covers
+requirement OL08-00-040137. Include tests to validate OVAL
+
+Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
+---
+ .../fapolicy_default_deny/oval/shared.xml     | 39 +++++++++++++++++++
+ .../fapolicyd/fapolicy_default_deny/rule.yml  |  3 +-
+ .../tests/commented_value.fail.sh             | 12 ++++++
+ .../tests/correct_value.pass.sh               | 12 ++++++
+ .../tests/deny_not_last.fail.sh               | 12 ++++++
+ .../tests/fapolicy_permissive.fail.sh         |  5 +++
+ .../tests/wrong_value.fail.sh                 | 11 ++++++
+ products/ol8/profiles/stig.profile            |  1 +
+ 8 files changed, 94 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+ create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+new file mode 100644
+index 00000000000..9989459ad22
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+@@ -0,0 +1,39 @@
++<def-group>
++    <definition class="compliance" id="{{{ rule_id }}}" version="1">
++        {{{
++        oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
++        }}}
++        <criteria>
++        <criterion comment="fapolicyd employs a deny-all policy"
++        test_ref="test_fapolicy_default_deny_policy" />
++        <criterion comment="fapolicyd is in enforcement mode"
++        test_ref="test_fapolicy_default_deny_enforcement" />
++        </criteria>
++    </definition>
++
++    <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
++    comment="fapolicyd employs a deny-all policy"
++    id="test_fapolicy_default_deny_policy" version="1">
++        <ind:object object_ref="obj_fapolicy_default_deny_policy" />
++    </ind:textfilecontent54_test>
++    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
++        <ind:behaviors multiline="false" />
++        <ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
++        <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
++        <ind:instance datatype="int">1</ind:instance>
++    </ind:textfilecontent54_object>
++    <ind:textfilecontent54_test check_existence="all_exist" check="all"
++    comment="fapolicyd is in enforcement mode"
++    id="test_fapolicy_default_deny_enforcement" version="1">
++        <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
++        <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
++    </ind:textfilecontent54_test>
++    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
++        <ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
++        <ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
++        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++    </ind:textfilecontent54_object>
++    <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
++    <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
++  </ind:textfilecontent54_state>
++</def-group>
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+index e6837e5d7bd..5b9a1649571 100644
+--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: rhel8,rhel9
++prodtype: ol8,ol9,rhel8,rhel9
+ 
+ title: 'Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.'
+ 
+@@ -25,6 +25,7 @@ references:
+   disa:  CCI-001764
+   nist: CM-7 (2),CM-7 (5) (b),CM-6 b
+   srg: SRG-OS-000368-GPOS-00154,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00232
++  stigid@ol8: OL08-00-040137
+   stigid@rhel8: RHEL-08-040137
+ 
+ ocil_clause: 'fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy'
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+new file mode 100644
+index 00000000000..a8df835af76
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
++
++truncate -s 0 /etc/fapolicyd/fapolicyd.rules
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
++echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+new file mode 100644
+index 00000000000..c88406b0be4
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
++
++truncate -s 0 /etc/fapolicyd/fapolicyd.rules
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
++echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+new file mode 100644
+index 00000000000..59b16308563
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
++
++truncate -s 0 /etc/fapolicyd/fapolicyd.rules
++
++echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+new file mode 100644
+index 00000000000..50756a0e7a3
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+new file mode 100644
+index 00000000000..da3e33f57fd
+--- /dev/null
++++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++# packages = fapolicyd
++# remediation = none
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
++
++truncate -s 0 /etc/fapolicyd/fapolicyd.rules
++
++echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
++
++{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
+diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
+index 05f03d339e6..34a136b8489 100644
+--- a/products/ol8/profiles/stig.profile
++++ b/products/ol8/profiles/stig.profile
+@@ -1069,6 +1069,7 @@ selections:
+     - service_fapolicyd_enabled
+ 
+     # OL08-00-040137
++    - fapolicy_default_deny
+ 
+     # OL08-00-040139
+     - package_usbguard_installed

SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch

@@ -0,0 +1,61 @@
+From dc37d3c376cd3f2a2178d82a928629b231662cf9 Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Fri, 11 Nov 2022 12:05:28 +0100
+Subject: [PATCH] Align service_disabled template to service_enabled
+
+---
+ .../service_disabled/ansible.template         | 32 +++++--------------
+ 1 file changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
+index 5c70756b8af..752f6ac5099 100644
+--- a/shared/templates/service_disabled/ansible.template
++++ b/shared/templates/service_disabled/ansible.template
+@@ -3,39 +3,17 @@
+ # strategy = disable
+ # complexity = low
+ # disruption = low
+-{{%- if init_system == "systemd" %}}
+ - name: Disable service {{{ SERVICENAME }}}
+   block:
++  - name: Gather the package facts
++    package_facts:
++      manager: auto
++
+   - name: Disable service {{{ SERVICENAME }}}
+-    systemd:
+-      name: "{{{ DAEMONNAME }}}.service"
++    service:
++      name: "{{{ DAEMONNAME }}}"
+       enabled: "no"
+       state: "stopped"
+       masked: "yes"
+-    ignore_errors: 'yes'
+-
+-- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+-  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
+-  args:
+-    warn: False
+-  register: socket_file_exists
+-  changed_when: False
+-  ignore_errors: True
+-  check_mode: False
+-
+-- name: Disable socket {{{ SERVICENAME }}}
+-  systemd:
+-    name: "{{{ DAEMONNAME }}}.socket"
+-    enabled: "no"
+-    state: "stopped"
+-    masked: "yes"
+-  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
+-{{% elif init_system == "upstart" %}}
+-- name: Stop {{{ SERVICENAME }}}
+-  command: /sbin/service '{{{ DAEMONNAME }}}' stop
+-
+-- name: Switch off {{{ SERVICENAME }}}
+-  command: /sbin/chkconfig --level 0123456 '{{{ DAEMONNAME }}}' off
+-{{%- else %}}
+-JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+-{{%- endif %}}
++    when:
++    - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'

SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch

@@ -0,0 +1,217 @@
+From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Fri, 11 Nov 2022 12:27:11 +0100
+Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
+ module
+
+---
+ .../system/accounts/enable_authselect/ansible/shared.yml    | 2 --
+ .../audit_rules_privileged_commands/ansible/shared.yml      | 2 --
+ .../audit_rules_suid_privilege_function/ansible/shared.yml  | 2 --
+ .../rpm_verification/rpm_verify_hashes/ansible/shared.yml   | 6 ------
+ .../rpm_verify_ownership/ansible/shared.yml                 | 6 ------
+ .../rpm_verify_permissions/ansible/shared.yml               | 6 ------
+ .../ensure_redhat_gpgkey_installed/ansible/shared.yml       | 2 --
+ 8 files changed, 28 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
+index afd658790f7..6a7324a7a64 100644
+--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
++++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
+@@ -17,8 +17,6 @@
+     cmd: rpm -qV pam
+   register: result_altered_authselect
+   ignore_errors: yes
+-  args:
+-    warn: False
+   when:
+     - result_authselect_select is failed
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+index 68c8497c859..bb1fec9e2b8 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+@@ -8,8 +8,6 @@
+   shell: |
+     set -o pipefail
+     find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
+-  args:
+-    warn: False
+     executable: /bin/bash
+   check_mode: no
+   register: find_result
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+index b25361136af..c46cbbe3950 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+@@ -49,8 +49,6 @@
+ {{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
+ - name: Reload Auditd
+   command: /usr/sbin/service auditd reload
+-  args:
+-    warn: false
+ {{%- endif %}}
+   when:
+     - (augenrules_audit_rules_privilege_function_update_result.changed or
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+index 0241e804b30..0d66cb349c0 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+@@ -22,8 +22,6 @@
+ 
+ - name: "Read files with incorrect hash"
+   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
+   register: files_with_incorrect_hash
+   changed_when: False
+   failed_when: files_with_incorrect_hash.rc > 1
+@@ -32,8 +30,6 @@
+ 
+ - name: Create list of packages
+   command: rpm -qf "{{ item }}"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
+   with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
+   register: list_of_packages
+   changed_when: False
+@@ -44,8 +40,6 @@
+ 
+ - name: "Reinstall packages of files with incorrect hash"
+   command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
+   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
+   when:
+     - files_with_incorrect_hash.stdout_lines is defined
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+index ed490498a1d..f43b9bcef1c 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+@@ -5,8 +5,6 @@
+ # disruption = medium
+ - name: "Read list of files with incorrect ownership"
+   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
+   register: files_with_incorrect_ownership
+   failed_when: files_with_incorrect_ownership.rc > 1
+   changed_when: False
+@@ -14,8 +12,6 @@
+ 
+ - name: Create list of packages
+   command: rpm -qf "{{ item }}"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
+   with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
+   register: list_of_packages
+   changed_when: False
+@@ -24,7 +20,5 @@
+ 
+ - name: "Correct file ownership with RPM"
+   command: "rpm --quiet --setugids '{{ item }}'"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
+   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
+   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+index 419ef95a323..0bd8e7e8ad5 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+@@ -5,8 +5,6 @@
+ # disruption = medium
+ - name: "Read list of files with incorrect permissions"
+   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
+   register: files_with_incorrect_permissions
+   failed_when: files_with_incorrect_permissions.rc > 1
+   changed_when: False
+@@ -14,8 +12,6 @@
+ 
+ - name: Create list of packages
+   command: rpm -qf "{{ item }}"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
+   with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
+   register: list_of_packages
+   changed_when: False
+@@ -24,7 +20,5 @@
+ 
+ - name: "Correct file permissions with RPM"
+   command: "rpm --setperms '{{ item }}'"
+-  args:
+-    warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
+   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
+   when: (files_with_incorrect_permissions.stdout_lines | length > 0)
+diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+index f6f590820e1..6ab9bdee767 100644
+--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+@@ -18,8 +18,6 @@
+   {{%- else -%}}
+   command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+   {{%- endif %}}
+-  args:
+-    warn: False
+   changed_when: False
+   register: gpg_fingerprints
+   check_mode: no
+
+From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Tue, 15 Nov 2022 10:00:49 +0100
+Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations
+
+---
+ .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
+ .../rpm_verification/rpm_verify_ownership/ansible/shared.yml    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+index 0d66cb349c0..fd850def318 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+@@ -12,7 +12,7 @@
+ - name: "Set fact: Package manager reinstall command (yum)"
+   set_fact:
+     package_manager_reinstall_cmd: yum reinstall -y
+-  when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
++  when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
+ 
+ - name: "Read files with incorrect hash"
+   command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+index f43b9bcef1c..5c39628ff4c 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+@@ -19,6 +19,6 @@
+   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
+ 
+ - name: "Correct file ownership with RPM"
+-  command: "rpm --quiet --setugids '{{ item }}'"
++  command: "rpm --setugids '{{ item }}'"
+   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
+   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
+
+From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Tue, 15 Nov 2022 17:20:02 +0100
+Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
+ all RHELs
+
+---
+ .../rpm_verification/rpm_verify_hashes/ansible/shared.yml       | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+index fd850def318..178a7711a54 100644
+--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+@@ -1,5 +1,5 @@
+ # and the regex_findall does not filter out configuration files the same as bash remediation does
+-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+ # reboot = false
+ # strategy = restrict
+ # complexity = high

SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch

@@ -0,0 +1,50 @@
+From 8c6d618070476bd81edd0524c895a3497fc902a6 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Nov 2022 17:48:55 +0100
+Subject: [PATCH] accounts_password_pam_retry: Add test for dupes and conflicts
+
+Add test scenarios to ensure that conflicting values are failing
+and that duplicated rule are passing.
+---
+ .../tests/pwquality_conf_conflicting_values.fail.sh  | 12 ++++++++++++
+ .../tests/pwquality_conf_duplicate_values.pass.sh    | 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
+
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
+new file mode 100644
+index 00000000000..16bd1171a46
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# variables = var_password_pam_retry=3
++
++source common.sh
++
++CONF_FILE="/etc/security/pwquality.conf"
++retry_cnt=3
++
++truncate -s 0 $CONF_FILE
++
++echo "retry = 3" >> $CONF_FILE
++echo "retry = 4" >> $CONF_FILE
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
+new file mode 100644
+index 00000000000..da37627dbb3
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
+@@ -0,0 +1,12 @@
++#!/bin/bash
++# variables = var_password_pam_retry=3
++
++source common.sh
++
++CONF_FILE="/etc/security/pwquality.conf"
++retry_cnt=3
++
++truncate -s 0 $CONF_FILE
++
++echo "retry = 3" >> $CONF_FILE
++echo "retry = 3" >> $CONF_FILE

SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch

@@ -0,0 +1,81 @@
+From ddf34ef7c71b79ca12ccfcd00eada2c08c34d2c9 Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Mon, 14 Nov 2022 17:16:53 +0100
+Subject: [PATCH 1/2] Revert "Align service_disabled template to
+ service_enabled"
+
+This reverts commit dc37d3c376cd3f2a2178d82a928629b231662cf9.
+---
+ .../service_disabled/ansible.template         | 32 ++++++++++++++-----
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
+index 752f6ac5099..5c70756b8af 100644
+--- a/shared/templates/service_disabled/ansible.template
++++ b/shared/templates/service_disabled/ansible.template
+@@ -3,17 +3,33 @@
+ # strategy = disable
+ # complexity = low
+ # disruption = low
++{{%- if init_system == "systemd" %}}
+ - name: Disable service {{{ SERVICENAME }}}
+   block:
+-  - name: Gather the package facts
+-    package_facts:
+-      manager: auto
+-
+   - name: Disable service {{{ SERVICENAME }}}
+-    service:
+-      name: "{{{ DAEMONNAME }}}"
++    systemd:
++      name: "{{{ DAEMONNAME }}}.service"
+       enabled: "no"
+       state: "stopped"
+       masked: "yes"
+-    when:
+-    - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
++    ignore_errors: 'yes'
++
++- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
++  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
++  args:
++    warn: False
++  register: socket_file_exists
++  changed_when: False
++  ignore_errors: True
++  check_mode: False
++
++- name: Disable socket {{{ SERVICENAME }}}
++  systemd:
++    name: "{{{ DAEMONNAME }}}.socket"
++    enabled: "no"
++    state: "stopped"
++    masked: "yes"
++  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
++{{%- else %}}
++JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
++{{%- endif %}}
+
+From 8c20a2bc997c0a24eba2a9924d832954b9e91b6a Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.om>
+Date: Mon, 14 Nov 2022 17:37:50 +0100
+Subject: [PATCH 2/2] Make service_disabled template compatible with Ansible
+ 2.14
+
+---
+ shared/templates/service_disabled/ansible.template | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
+index 5c70756b8af..72678e050cf 100644
+--- a/shared/templates/service_disabled/ansible.template
++++ b/shared/templates/service_disabled/ansible.template
+@@ -16,8 +16,6 @@
+ 
+ - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+   command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
+-  args:
+-    warn: False
+   register: socket_file_exists
+   changed_when: False
+   ignore_errors: True

SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch

@@ -0,0 +1,95 @@
+From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Mon, 14 Nov 2022 15:23:32 +0100
+Subject: [PATCH 2/4] Update remediation to skip .bash_profile file
+
+This file can have the umask content but for a different purpose than
+this rule intention. It was ignored in order to avoid changing the bash
+history. Ansible and Bash were updated.
+---
+ .../accounts_umask_interactive_users/ansible/shared.yml       | 4 +++-
+ .../accounts_umask_interactive_users/bash/shared.sh           | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
+index 67064ac4a3b..3586ae69cbe 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
+@@ -9,6 +9,8 @@
+     cmd: |
+       for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
+         for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
+-          sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
++          if [ "$(basename $file)" != ".bash_history" ]; then
++            sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
++          fi
+         done
+       done
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
+index d5f803db313..f524ff01f9a 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
+@@ -6,6 +6,8 @@
+ 
+ {{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}}
+ {{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}}
+-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
++if [ "$(basename $file)" != ".bash_history" ]; then
++    sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
++fi
+ {{%- endcall %}}
+ {{%- endcall %}}
+
+From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Mon, 14 Nov 2022 15:26:04 +0100
+Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment
+
+---
+ .../tests/bash_history_ignored.pass.sh                       | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
+new file mode 100644
+index 00000000000..8eeffc233b2
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++
++USER="cac_user"
++useradd -m $USER
++echo "umask 022" > /home/$USER/.bash_history
+
+From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001
+From: Marcus Burghardt <maburgha@redhat.com>
+Date: Mon, 14 Nov 2022 15:27:26 +0100
+Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file
+
+This rule targets user files where the umask can be changed. It is not the
+case for .bash_history. In addition, it should be avoided to change the
+.bash_history file by this rule remediations.
+---
+ .../accounts_umask_interactive_users/oval/shared.xml        | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
+index 42dbdbbae46..6f3eaa570d7 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
+@@ -29,8 +29,14 @@
+     <ind:filename operation="pattern match">^\..*</ind:filename>
+     <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++    <filter action="exclude">state_accounts_umask_interactive_users_bash_history</filter>
+   </ind:textfilecontent54_object>
+ 
++  <ind:textfilecontent54_state id="state_accounts_umask_interactive_users_bash_history"
++    version="1">
++    <ind:filename operation="pattern match">^\.bash_history</ind:filename>
++  </ind:textfilecontent54_state>
++
+   <!-- #### creation of test #### -->
+   <ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
+                   check_existence="none_exist" version="1"

SOURCES/scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch

@@ -0,0 +1,352 @@
+From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 13:53:14 +0100
+Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1
+
+Following update from V1R8, update the STIG profile to configure
+ClientAliveCountMax to 1.
+
+This will timeout SSH connections when client alive messages are not
+received within ClientAliveInterval seconds.
+This serves the purpose of disconnecting sessions when the client has
+become unresponsive.
+---
+ .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 +
+ .../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml     | 1 -
+ products/rhel8/profiles/stig.profile                          | 4 ++--
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+index bc8ee914565..df0681f3f3a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+@@ -55,6 +55,7 @@ references:
+     pcidss: Req-8.1.8
+     srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
+     stigid@ol7: OL07-00-040340
++    stigid@rhel8: RHEL-08-010200
+     stigid@sle12: SLES-12-030191
+     stigid@ubuntu2004: UBTU-20-010036
+     vmmsrg: SRG-OS-000480-VMM-002000
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+index 024cb687382..a02fa8f40db 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+@@ -54,7 +54,6 @@ references:
+     stigid@ol7: OL07-00-040340
+     stigid@ol8: OL08-00-010200
+     stigid@rhel7: RHEL-07-040340
+-    stigid@rhel8: RHEL-08-010200
+     stigid@sle12: SLES-12-030191
+     stigid@sle15: SLES-15-010320
+     vmmsrg: SRG-OS-000480-VMM-002000
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index 96dfbf6b203..d184957f28c 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -50,7 +50,7 @@ selections:
+     - var_password_pam_lcredit=1
+     - var_password_pam_retry=3
+     - var_password_pam_minlen=15
+-    # - var_sshd_set_keepalive=0
++    - var_sshd_set_keepalive=1
+     - sshd_approved_macs=stig
+     - sshd_approved_ciphers=stig
+     - sshd_idle_timeout_value=10_minutes
+@@ -174,7 +174,7 @@ selections:
+     # they still need to be selected so it follows exactly what STIG
+     # states.
+     # RHEL-08-010200
+-    - sshd_set_keepalive_0
++    - sshd_set_keepalive
+     # RHEL-08-010201
+     - sshd_set_idle_timeout
+ 
+
+From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 14:06:42 +0100
+Subject: [PATCH 2/7] Change verbiage on keepalive rules
+
+Stop using the 'idle', that implies an idle user; And
+start using unresponsive, which better describes the state of network.
+---
+ .../ssh/ssh_server/sshd_set_keepalive/rule.yml    | 15 ++++++++-------
+ .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml  |  6 +++---
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+index df0681f3f3a..7a27c134f1e 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+@@ -7,14 +7,15 @@ description: |-
+     during a SSH session and waits for a response from the SSH client.
+     The option <tt>ClientAliveInterval</tt> configures timeout after
+     each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
+-    receive a response from the client, then the connection is considered idle
++    receive a response from the client, then the connection is considered unresponsive
+     and terminated.
+     For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
+-    causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
++    causes a timeout precisely when the <tt>ClientAliveInterval</tt> is set.
+     Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
+     completely. If the option is set to a number greater than <tt>0</tt>, then
+-    the idle session will be disconnected after
+-    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
++    the session will be disconnected after
++    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving
++    a keep alive message.
+ 
+ rationale: |-
+     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
+@@ -70,8 +71,8 @@ ocil: |-
+     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
+     If properly configured, the output should be:
+     <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
+-    For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
++    For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes a timeout precisely when
+     the <tt>ClientAliveInterval</tt> is set.  Starting with v8.2, a value of <tt>0</tt> disables the timeout
+     functionality completely.
+-    If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
+-    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
++    If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
++    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds witout receiving a keep alive message.
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+index a02fa8f40db..55011ab66a7 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+@@ -10,10 +10,10 @@ description: |-
+     during a SSH session and waits for a response from the SSH client.
+     The option <tt>ClientAliveInterval</tt> configures timeout after
+     each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
+-    receive a response from the client, then the connection is considered idle
++    receive a response from the client, then the connection is considered unresponsive
+     and terminated.
+ 
+-    To ensure the SSH idle timeout occurs precisely when the
++    To ensure the SSH timeout occurs precisely when the
+     <tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
+     value of <tt>0</tt> in
+     {{{ sshd_config_file() }}}
+@@ -73,7 +73,7 @@ ocil: |-
+     If properly configured, the output should be:
+     <pre>ClientAliveCountMax 0</pre>
+ 
+-    In this case, the SSH idle timeout occurs precisely when
++    In this case, the SSH timeout occurs precisely when
+     the <tt>ClientAliveInterval</tt> is set.
+ 
+ template:
+
+From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 14:27:50 +0100
+Subject: [PATCH 3/7] Add tests to check for configuration conflicts
+
+---
+ .../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++
+ .../tests/param_conflict_directory.fail.sh          | 13 +++++++++++++
+ 2 files changed, 24 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
+new file mode 100644
+index 00000000000..54441cbb5b6
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
+@@ -0,0 +1,11 @@
++#!/bin/bash
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
++echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
+new file mode 100644
+index 00000000000..aa6931cc243
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
++echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
+
+From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 17:09:16 +0100
+Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax
+
+The rule was only checking the first occurence of ClientAliveCountMax,
+but we need to check that all and any occurrences of
+ClientAliveCountMax are compliant.
+---
+ .../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
+index 5e07d982821..404c36c8dbc 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
+@@ -49,7 +49,7 @@
+   <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
+     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+     <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
+-    <ind:instance datatype="int">1</ind:instance>
++    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+   {{%- if sshd_distributed_config == "true" %}}
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+
+From d15ebb0b563895fbc2ab85c631410ea60bd02d95 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 17:40:26 +0100
+Subject: [PATCH 5/7] Add test to check for configuration conflicts
+
+Add test for non distributed ssh config conflicts for
+ClientAliveInterval.
+---
+ .../tests/param_conflict.fail.sh                  | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
+new file mode 100644
+index 00000000000..1e14aa3da36
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
+@@ -0,0 +1,15 @@
++#!/bin/bash
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++    sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
++echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
++echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
+
+From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 17:41:19 +0100
+Subject: [PATCH 6/7] Change verbiage on idle timeout rule
+
+The config is not really about idle user timeout, the config is about
+unresponsive network timeout.
+---
+ .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml    | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+index aa085894f61..c5606aac557 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+@@ -1,12 +1,12 @@
+ documentation_complete: true
+ 
+-title: 'Set SSH Idle Timeout Interval'
++title: 'Set SSH Client Alive Interval'
+ 
+ description: |-
+-    SSH allows administrators to set an idle timeout interval. After this interval
+-    has passed, the idle user will be automatically logged out.
++    SSH allows administrators to set a network responsiveness timeout interval.
++    After this interval has passed, the unresponsive client will be automatically logged out.
+     <br /><br />
+-    To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
++    To set this timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
+     follows:
+     <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
+     <br/><br/>
+@@ -15,7 +15,7 @@ description: |-
+     <br /><br />
+     If a shorter timeout has already been set for the login shell, that value will
+     preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
+-    some processes may stop SSH  from correctly detecting that the user is idle.
++    some processes may stop SSH from correctly detecting that the user is idle.
+ 
+ rationale: |-
+     Terminating an idle ssh session within a short time period reduces the window of
+@@ -81,7 +81,7 @@ ocil: |-
+ 
+ warnings:
+     - dependency: |-
+-        SSH disconnecting idle clients will not have desired effect without also
++        SSH disconnecting unresponsive clients will not have desired effect without also
+         configuring ClientAliveCountMax in the SSH service configuration.
+     - general: |-
+         Following conditions may prevent the SSH session to time out:
+
+From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 9 Nov 2022 11:31:50 +0100
+Subject: [PATCH 7/7] Update profile stability test data
+
+---
+ tests/data/profile_stability/rhel8/stig.profile     | 3 ++-
+ tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index cadc3f5fc7a..51971451996 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -371,7 +371,7 @@ selections:
+ - sshd_print_last_log
+ - sshd_rekey_limit
+ - sshd_set_idle_timeout
+-- sshd_set_keepalive_0
++- sshd_set_keepalive
+ - sshd_use_strong_rng
+ - sshd_x11_use_localhost
+ - sssd_certificate_verification
+@@ -441,6 +441,7 @@ selections:
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - var_password_pam_retry=3
++- var_sshd_set_keepalive=1
+ - sshd_approved_macs=stig
+ - sshd_approved_ciphers=stig
+ - sshd_idle_timeout_value=10_minutes
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index bde4e18b068..fd150744167 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -381,7 +381,7 @@ selections:
+ - sshd_print_last_log
+ - sshd_rekey_limit
+ - sshd_set_idle_timeout
+-- sshd_set_keepalive_0
++- sshd_set_keepalive
+ - sshd_use_strong_rng
+ - sshd_x11_use_localhost
+ - sssd_certificate_verification
+@@ -449,6 +449,7 @@ selections:
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - var_password_pam_retry=3
++- var_sshd_set_keepalive=1
+ - sshd_approved_macs=stig
+ - sshd_approved_ciphers=stig
+ - sshd_idle_timeout_value=10_minutes

SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch

@@ -0,0 +1,142 @@
+From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Nov 2022 10:13:16 +0100
+Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts
+
+---
+ .../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++
+ .../tests/param_conflict_directory.fail.sh        | 15 +++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
+new file mode 100644
+index 00000000000..0eb6aab6804
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++
++SSHD_PARAM="RekeyLimit"
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
++echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
+new file mode 100644
+index 00000000000..bc254a3a57c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
+@@ -0,0 +1,15 @@
++#!/bin/bash
++
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++SSHD_PARAM="RekeyLimit"
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++   sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf
++echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf
+
+From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Nov 2022 10:32:35 +0100
+Subject: [PATCH 2/3] Separate the SSHD parameter from the value
+
+Separate the SSHD paramater RekeyLimit from the compliant values.
+This makes it possible to collect all occurrences of RekeyLimit and
+compare each of then with the compliant values.
+---
+ .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml  | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+index b2dd9039200..38c8a84aa3f 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+@@ -24,30 +24,36 @@
+ 
+   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
+      <ind:object object_ref="obj_sshd_rekey_limit"/>
++     <ind:state state_ref="state_sshd_rekey_limit"/>
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+      <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
+-     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
++     <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
+      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+   {{%- if sshd_distributed_config == "true" %}}
+   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+      <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
++     <ind:state state_ref="state_sshd_rekey_limit"/>
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
+      <ind:path>{{{ sshd_config_dir}}}</ind:path>
+      <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+-     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
++     <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
+      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+   {{%- endif %}}
+ 
++  <ind:textfilecontent54_state id="state_sshd_rekey_limit" version="1">
++     <ind:subexpression operation="pattern match" var_ref="sshd_line_regex" />
++  </ind:textfilecontent54_state>
++
+   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+     <concat>
+-      <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
++      <literal_component>^</literal_component>
+       <variable_component var_ref="var_rekey_limit_size"/>
+       <literal_component>[\s]+</literal_component>
+       <variable_component var_ref="var_rekey_limit_time"/>
+
+From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Nov 2022 10:39:45 +0100
+Subject: [PATCH 3/3] Add test for duplicated SSHD parameter
+
+Ensure the rule still passes when a parameter is defined multiple times
+but have the same value.
+---
+ .../tests/duplicated_param.pass.sh                 | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
+new file mode 100644
+index 00000000000..2e0d8145abd
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++
++SSHD_PARAM="RekeyLimit"
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
++echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
++

SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch

@@ -0,0 +1,52 @@
+From 93b9ab4f532710a8c063d7a71cbbeee26be2470b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Nov 2022 18:01:17 +0100
+Subject: [PATCH] Add test for param conflicts for SSH compression
+
+---
+ .../tests/param_conflict.fail.sh                  | 13 +++++++++++++
+ .../tests/param_conflict_directory.fail.sh        | 15 +++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
+new file mode 100644
+index 00000000000..a631b3207bd
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
+@@ -0,0 +1,13 @@
++#!/bin/bash
++
++SSHD_PARAM="Compression"
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config
++echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
+new file mode 100644
+index 00000000000..f1c15c139c7
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
+@@ -0,0 +1,15 @@
++#!/bin/bash
++
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
++
++SSHD_PARAM="Compression"
++
++mkdir -p /etc/ssh/sshd_config.d
++touch /etc/ssh/sshd_config.d/nothing
++
++if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
++   sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
++fi
++
++echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf
++echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf

SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch

@@ -0,0 +1,202 @@
+From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Nov 2022 15:16:32 +0100
+Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d
+
+Sysctl options can also be defined in /usr/local/lib/sysctl.d/
+---
+ .../tests/correct_value_usr_local_lib.pass.sh      | 14 ++++++++++++++
+ .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
+ create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
+
+diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
+new file mode 100644
+index 00000000000..3e366a9162f
+--- /dev/null
++++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++{{% if SYSCTLVAL == "" %}}
++# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
++{{% endif %}}
++
++# Clean sysctl config directories
++rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
++
++sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
++mkdir /usr/local/lib/sysctl.d/
++echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf
++
++# set correct runtime value to check if the filesystem configuration is evaluated properly
++sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
+diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
+new file mode 100644
+index 00000000000..fee34ea272f
+--- /dev/null
++++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++{{% if SYSCTLVAL == "" %}}
++# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
++{{% endif %}}
++
++# Clean sysctl config directories
++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
++
++sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
++mkdir /usr/local/lib/sysctl.d/
++echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf
++
++# Setting correct runtime value
++sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
+
+From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Nov 2022 15:19:15 +0100
+Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs
+
+Update the template so that /usr/local/lib/sysctl.d is also checked for
+sysctl onfigurations.
+---
+ shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index bbe646274f6..3fe6de1c185 100644
+--- a/shared/templates/sysctl/oval.template
++++ b/shared/templates/sysctl/oval.template
+@@ -138,6 +138,8 @@
+         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
+                    test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
+ {{% endif %}}
++          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/local/lib/sysctl.d/*.conf"
++                    test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
+       </criteria>
+ {{% if target_oval_version >= [5, 11] %}}
+       <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
+@@ -181,6 +183,13 @@
+   </unix:symlink_state>
+ {{% endif %}}
+ 
++  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_local_lib_sysctld" version="1"
++                          check_existence="any_exist"
++                          check="all"
++                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
++    {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
++  </ind:textfilecontent54_test>
++
+   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
+     <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
+   </local_variable>
+@@ -190,7 +199,7 @@
+   <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
+     <set>
+       <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
+-      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
++      <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
+     </set>
+   </ind:textfilecontent54_object>
+ 
+@@ -201,6 +210,13 @@
+     </set>
+   </ind:textfilecontent54_object>
+ 
++  <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
++    <set>
++      <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
++      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
++    </set>
++  </ind:textfilecontent54_object>
++
+   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
+     <set>
+       <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
+@@ -227,6 +243,12 @@
+     {{{ sysctl_match() }}}
+   </ind:textfilecontent54_object>
+ 
++  <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
++    <ind:path>/usr/local/lib/sysctl.d</ind:path>
++    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
++    {{{ sysctl_match() }}}
++  </ind:textfilecontent54_object>
++
+ {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
+     <ind:path>/usr/lib/sysctl.d</ind:path>
+
+From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Nov 2022 15:35:17 +0100
+Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations
+
+The Ansible remediation for some products were not aligned with the Bash
+one.
+---
+ shared/templates/sysctl/ansible.template | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
+index edc4d3fb667..d67cdd2068c 100644
+--- a/shared/templates/sysctl/ansible.template
++++ b/shared/templates/sysctl/ansible.template
+@@ -9,12 +9,15 @@
+     paths:
+       - "/etc/sysctl.d/"
+       - "/run/sysctl.d/"
++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
++      - "/usr/lib/sysctl.d/"
++{{% endif %}}
+     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
+     patterns: "*.conf"
+     file_type: any
+   register: find_sysctl_d
+ 
+-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
++- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files
+   replace:
+     path: "{{ item.path }}"
+     regexp: '^[\s]*{{{ SYSCTLVAR }}}'
+
+From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 14 Nov 2022 15:36:59 +0100
+Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d
+
+Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options
+and comment them out.
+---
+ shared/templates/sysctl/ansible.template | 1 +
+ shared/templates/sysctl/bash.template    | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
+index d67cdd2068c..3ac5d072fcf 100644
+--- a/shared/templates/sysctl/ansible.template
++++ b/shared/templates/sysctl/ansible.template
+@@ -9,6 +9,7 @@
+     paths:
+       - "/etc/sysctl.d/"
+       - "/run/sysctl.d/"
++      - "/usr/local/lib/sysctl.d/"
+ {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+       - "/usr/lib/sysctl.d/"
+ {{% endif %}}
+diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
+index 27935c33612..83f50a74a06 100644
+--- a/shared/templates/sysctl/bash.template
++++ b/shared/templates/sysctl/bash.template
+@@ -6,9 +6,9 @@
+ 
+ # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+ {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
++for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+ {{% else %}}
+-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
++for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+ {{% endif %}}
+   matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
+   if ! test -z "$matching_list"; then

SOURCES/scap-security-guide-0.1.66-map_stig_rhel_08_040400-PR_9878.patch

@@ -0,0 +1,83 @@
+From fae75e8f00cf5de18c4c1813d94987e848f14233 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 24 Nov 2022 14:40:15 +0100
+Subject: [PATCH] Map selinux_user_login_roles to RHEL-08-040400
+
+This STIG ID is a new addition in DISA RHEL8 STIG V1R8
+---
+ .../guide/system/selinux/selinux_user_login_roles/rule.yml     | 2 ++
+ products/rhel8/profiles/stig.profile                           | 3 +++
+ shared/references/cce-redhat-avail.txt                         | 1 -
+ tests/data/profile_stability/rhel8/stig.profile                | 1 +
+ tests/data/profile_stability/rhel8/stig_gui.profile            | 1 +
+ 5 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
+index 053d4341bbd..d4c211c1062 100644
+--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
++++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
+@@ -34,6 +34,7 @@ severity: medium
+ 
+ identifiers:
+     cce@rhel7: CCE-80543-2
++    cce@rhel8: CCE-86353-0
+ 
+ references:
+     disa: CCI-002165,CCI-002235
+@@ -41,6 +42,7 @@ references:
+     stigid@ol7: OL07-00-020020
+     stigid@ol8: OL08-00-040400
+     stigid@rhel7: RHEL-07-020020
++    stigid@rhel8: RHEL-08-040400
+ 
+ ocil_clause: 'non-admin users are not confined correctly'
+ 
+diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
+index d184957f28c..fe699f34beb 100644
+--- a/products/rhel8/profiles/stig.profile
++++ b/products/rhel8/profiles/stig.profile
+@@ -1207,5 +1207,8 @@ selections:
+     # RHEL-08-040390
+     - package_tuned_removed
+ 
++    # RHEL-08-040400
++    - selinux_user_login_roles
++
+     # RHEL-08-010163
+     - package_krb5-server_removed
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index d2fcd6421e1..9575ecac8c9 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -210,7 +210,6 @@ CCE-86343-1
+ CCE-86347-2
+ CCE-86351-4
+ CCE-86352-2
+-CCE-86353-0
+ CCE-86355-5
+ CCE-86357-1
+ CCE-86358-9
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 51971451996..6ddf29e7bfe 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -343,6 +343,7 @@ selections:
+ - security_patches_up_to_date
+ - selinux_policytype
+ - selinux_state
++- selinux_user_login_roles
+ - service_auditd_enabled
+ - service_autofs_disabled
+ - service_debug-shell_disabled
+diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
+index fd150744167..fb8f5602dac 100644
+--- a/tests/data/profile_stability/rhel8/stig_gui.profile
++++ b/tests/data/profile_stability/rhel8/stig_gui.profile
+@@ -353,6 +353,7 @@ selections:
+ - security_patches_up_to_date
+ - selinux_policytype
+ - selinux_state
++- selinux_user_login_roles
+ - service_auditd_enabled
+ - service_autofs_disabled
+ - service_debug-shell_disabled

SPECS/scap-security-guide.spec

@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.63
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -35,6 +35,23 @@ Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.p
 Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
 Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
 Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+Patch17:		scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch
+Patch18:		scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch
+Patch19:		scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch
+Patch20:		scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch
+Patch21:		scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
+Patch22:		scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
+Patch23:		scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch
+Patch24:		scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch
+Patch25:		scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
+Patch26:		scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch
+Patch27:		scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
+Patch28:		scap-security-guide-0.1.66-map_stig_rhel_08_040400-PR_9878.patch
+Patch29:		scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch
+Patch30:		scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
+Patch31:		scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
+Patch32:		scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
+Patch33:		scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -139,6 +156,12 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
+* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
+- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
+- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
+- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
+- Fix compatibility with Ansible 2.14
+
 * Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
 - Fix check of enable_fips_mode on s390x (RHBZ#2070564)