diff --git a/.gitignore b/.gitignore index 444500d..c37f96f 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,4 @@ /scap-security-guide-0.1.53.tar.bz2 /scap-security-guide-0.1.54.tar.bz2 /scap-security-guide-0.1.56.tar.bz2 +/scap-security-guide-0.1.57.tar.bz2 diff --git a/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch b/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch deleted file mode 100644 index a6e478f..0000000 --- a/scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch +++ /dev/null @@ -1,693 +0,0 @@ -From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 11 May 2021 17:14:24 +0200 -Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening - ---- - controls/anssi.yml | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index 2053de05c0..e9b9f1b803 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -70,6 +70,10 @@ controls: - It is recommended to use the mandatory access control (MAC) features in - addition to the traditional Unix user model (DAC), or possibly combine - them with partitioning mechanisms. -+ notes: >- -+ Other partitioning mechanisms can include chroot and containers and are not contemplated -+ in this requirement. -+ automated: partially - rules: - - selinux_state - - var_selinux_state=enforcing -@@ -161,6 +165,7 @@ controls: - The iommu = force directive must be added to the list of kernel parameters - during startup in addition to those already present in the configuration - files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). -+ automated: yes - rules: - - grub2_enable_iommu_force - -@@ -837,8 +842,8 @@ controls: - not locally stored in clear), or possibly stored on a separate machine - of the one on which the sealing is done. - Check section "Database and config signing in AIDE manual" -- https://github.com/aide/aide/blob/master/doc/manual.html -- # rules: TBD -+ https://aide.github.io/doc/#signing -+ automated: no - - - id: R53 - level: enhanced -@@ -946,7 +951,7 @@ controls: - title: Enable AppArmor security profiles - description: >- - All AppArmor security profiles on the system must be enabled by default. -- # rules: TBD -+ automated: no - - - id: R66 - level: high -@@ -990,6 +995,7 @@ controls: - description: >- - SELinux policy manipulation and debugging tools should not be installed - on a machine in production. -+ automated: yes - rules: - - package_setroubleshoot_removed - - package_setroubleshoot-server_removed -@@ -1000,4 +1006,5 @@ controls: - title: Confining interactive non-privileged users - description: >- - Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. -- # rules: TBD -+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. -+ automated: no - -From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 11 May 2021 17:31:11 +0200 -Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels - ---- - controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 75 insertions(+), 16 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index e9b9f1b803..291af65f58 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -19,8 +19,10 @@ controls: - Those whose presence can not be justified should be disabled, removed or deleted. - automated: partially # The list of essential services is not objective. - notes: >- -- Use of obsolete or insecure services is not recommended. -- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later. -+ Manual review is required to assess if the installed services are minimal. -+ In general, use of obsolete or insecure services is not recommended. -+ Performing a minimal install is a good starting point, but doesn't provide any assurance -+ over any package installed later. - rules: - - package_dhcp_removed - #- package_rsh_removed -@@ -45,10 +47,9 @@ controls: - problematic from a security point of view. - The features configured at the level of launched services should be limited to the strict - minimum. -+ automated: no - notes: >- - Define a list of most problematic components or features to be hardened or restricted. -- # potential components: sshd, pam, chrony? -- # rules: TBD - - - id: R3 - level: enhanced -@@ -109,7 +110,10 @@ controls: - Network services should as much as possible be hosted on isolated environments. - This avoids having other potentially affected services if one of them gets - compromised under the same environment. -- #rules: TBD -+ notes: >- -+ Manual analysis is required to determine if services are hosted appropriately in -+ separate or isolated system while maintaining functionality. -+ automated: no - - - id: R7 - level: enhanced -@@ -117,6 +121,7 @@ controls: - description: >- - The activities of the running system and services must be logged and - archived on an external, non-local system. -+ automated: yes - rules: - # The default remote loghost is logcollector. - # Change the default value to the hostname or IP of the system to send the logs to -@@ -235,6 +240,7 @@ controls: - notes: >- - The rule disabling auto-mount for /boot is commented until the rules checking for other - /boot mount options are updated to handle this usecase. -+ automated: no - #rules: - #- mount_option_boot_noauto - -@@ -275,7 +281,7 @@ controls: - hardening measures. - Between two packages providing the same service, those subject to hardening - (at compilation, installation, or default configuration) must be preferred. -- #rules: TBD -+ automated: no - - - id: R17 - level: enhanced -@@ -283,6 +289,7 @@ controls: - description: >- - A boot loader to protect the password boot must be to be privileged. - This password must prevent any user from changing their configuration options. -+ automated: yes # without remediation - rules: - - grub2_password - - grub2_uefi_password -@@ -358,12 +365,28 @@ controls: - must be set up as soon as the system is installed: account and administration - passwords, root authority certificates, public keys, or certificates of the - host (and their respective private key). -- # rules: TBD -+ notes: >- -+ This concerns two aspects, the first is administrative, and involves prompt -+ installation of secrets or trusted elements by the sysadmin. -+ The second involves removal of any default secret or trusted element -+ configured by the operating system during install process, e.g. default -+ known passwords. -+ automated: no - - - id: R21 - level: intermediary - title: Hardening and monitoring of services subject to arbitrary flows -- # rules: TBD -+ notes: >- -+ SELinux can provide confinement and monitoring of services, and AIDE provides -+ basic integrity checking. System logs are configured as part of R43. -+ Hardening of particular services should be done on a case by case basis and is -+ not automated by this content. -+ automated: partially -+ rules: -+ - selinux_state -+ - var_selinux_state=enforcing -+ - package_aide_installed -+ - aide_build_database - - - id: R22 - level: intermediary -@@ -535,6 +558,7 @@ controls: - sysctl kernel.modules_disabledconf: - Prohibition of loading modules (except those already loaded to this point) - kernel.modules_disabled = 1 -+ automated: yes # without remediation - rules: - - sysctl_kernel_modules_disabled - -@@ -545,6 +569,7 @@ controls: - It is recommended to load the Yama security module at startup (by example - passing the security = yama argument to the kernel) and configure the - sysctl kernel.yama.ptrace_scope to a value of at least 1. -+ automated: yes - rules: - - sysctl_kernel_yama_ptrace_scope - -@@ -553,13 +578,19 @@ controls: - title: Disabling unused user accounts - description: >- - Unused user accounts must be disabled at the system level. -- # rules: TBD -+ notes: >- -+ The definition of unused user accounts is broad. It can include accounts -+ whose owners don't use the system anymore, or users created by services -+ or applicatons that should not be used. -+ automated: no - - - id: R27 - title: Disabling service accounts - level: intermediary - notes: >- - It is difficult to generally identify the system's service accounts. -+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values -+ are not enforced by the OS and can be changed over time. - Assisting rules could list users which are not disabled for manual review. - automated: no - -@@ -568,7 +599,11 @@ controls: - title: Uniqueness and exclusivity of system service accounts - description: >- - Each service must have its own system account and be dedicated to it exclusively. -- # rules: TBD -+ notes: >- -+ It is not trivial to identify wether a user account is a service account. -+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values -+ are not enforced by the OS and can be changed over time. -+ automated: no - - - id: R29 - level: enhanced -@@ -778,6 +813,7 @@ controls: - description: >- - The syslog services must be isolated from the rest of the system in a - dedicated container. -+ automated: no - # rules: TBD - - - id: R46 -@@ -825,6 +861,7 @@ controls: - This includes: directories containing executables, libraries, - configuration files, as well as any files that may contain sensitive - elements (cryptographic keys, passwords, confidential data). -+ automated: yes - rules: - - package_aide_installed - - aide_build_database -@@ -851,7 +888,12 @@ controls: - description: >- - The deployed services must have their access restricted to the system - strict minimum, especially when it comes to files, processes or network. -- # rules: TBD -+ notes: >- -+ SELinux policies limit the privileges of services and daemons to only what they require. -+ automated: partially -+ rules: -+ - selinux_policytype -+ - var_selinux_policy_name=targeted - - - id: R54 - level: enhanced -@@ -859,17 +901,24 @@ controls: - description: >- - Each component supporting the virtualization must be hardened, especially - by applying technical measures to counter the exploit attempts. -- # rules: TBD -+ notes: >- -+ It may be interesting to point out virtulization components that are installed and -+ should be hardened. -+ automated: no - - - id: R55 - level: intermediary - title: chroot jail and access right for partitioned service -- # rules: TBD -+ notes: >- -+ Automation to restrict access and chroot services is not generally reliable. -+ autmated: no - - - id: R56 - level: intermediary - title: Enablement and usage of chroot by a service -- # rules: TBD -+ notes: >- -+ Automation to restrict access and chroot services is not generally reliable. -+ automated: no - - - id: R57 - level: intermediary -@@ -924,7 +973,10 @@ controls: - description: >- - The commands requiring the execution of sub-processes (EXEC tag) must be - explicitly listed and their use should be reduced to a strict minimum. -- # rules: TBD -+ notes: >- -+ Human review is required to assess if the commands requiring EXEC is minimal. -+ An auxiliary rule could list rules containing EXEC tag, for analysis. -+ automated: no - - - id: R62 - level: intermediary -@@ -944,7 +996,13 @@ controls: - - id: R64 - level: intermediary - title: Good use of sudoedit -- # rules: TBD -+ description: A file requiring sudo to be edited, must be edited through the sudoedit command. -+ notes: >- -+ In R62 we established that the sudoers files should not use negations, thus the approach -+ for this requirement is to ensure that sudoedit is the only text editor allowed. -+ But it is difficult to ensure that allowed binaries aren't text editors without human -+ review. -+ automated: no - - - id: R65 - level: high -@@ -959,6 +1017,7 @@ controls: - description: >- - It is recommended to enable the targeted policy when the distribution - support it and that it does not operate another security module than SELinux. -+ automated: yes - rules: - - selinux_policytype - - var_selinux_policy_name=targeted - -From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 11 May 2021 17:49:42 +0200 -Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles - ---- - rhel7/profiles/anssi_nt28_high.profile | 2 +- - rhel8/profiles/anssi_bp28_high.profile | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile -index 22efad9c09..560460b55f 100644 ---- a/rhel7/profiles/anssi_nt28_high.profile -+++ b/rhel7/profiles/anssi_nt28_high.profile -@@ -1,6 +1,6 @@ - documentation_complete: true - --title: 'DRAFT - ANSSI-BP-028 (high)' -+title: 'ANSSI-BP-028 (high)' - - description: |- - This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. -diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile -index 22efad9c09..560460b55f 100644 ---- a/rhel8/profiles/anssi_bp28_high.profile -+++ b/rhel8/profiles/anssi_bp28_high.profile -@@ -1,6 +1,6 @@ - documentation_complete: true - --title: 'DRAFT - ANSSI-BP-028 (high)' -+title: 'ANSSI-BP-028 (high)' - - description: |- - This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. - -From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Fri, 14 May 2021 10:58:50 +0200 -Subject: [PATCH 4/6] Fix typos and improve language - -Co-authored-by: vojtapolasek ---- - controls/anssi.yml | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index 291af65f58..81d099e98b 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -581,7 +581,7 @@ controls: - notes: >- - The definition of unused user accounts is broad. It can include accounts - whose owners don't use the system anymore, or users created by services -- or applicatons that should not be used. -+ or applications that should not be used. - automated: no - - - id: R27 -@@ -589,7 +589,7 @@ controls: - level: intermediary - notes: >- - It is difficult to generally identify the system's service accounts. -- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values -+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values - are not enforced by the OS and can be changed over time. - Assisting rules could list users which are not disabled for manual review. - automated: no -@@ -600,8 +600,8 @@ controls: - description: >- - Each service must have its own system account and be dedicated to it exclusively. - notes: >- -- It is not trivial to identify wether a user account is a service account. -- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values -+ It is not trivial to identify whether a user account is a service account. -+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values - are not enforced by the OS and can be changed over time. - automated: no - -@@ -889,7 +889,7 @@ controls: - The deployed services must have their access restricted to the system - strict minimum, especially when it comes to files, processes or network. - notes: >- -- SELinux policies limit the privileges of services and daemons to only what they require. -+ SELinux policies limit the privileges of services and daemons just to those which are required. - automated: partially - rules: - - selinux_policytype -@@ -902,7 +902,7 @@ controls: - Each component supporting the virtualization must be hardened, especially - by applying technical measures to counter the exploit attempts. - notes: >- -- It may be interesting to point out virtulization components that are installed and -+ It may be interesting to point out virtualization components that are installed and - should be hardened. - automated: no - -@@ -910,14 +910,14 @@ controls: - level: intermediary - title: chroot jail and access right for partitioned service - notes: >- -- Automation to restrict access and chroot services is not generally reliable. -- autmated: no -+ Using automation to restrict access and chroot services is not generally reliable. -+ automated: no - - - id: R56 - level: intermediary - title: Enablement and usage of chroot by a service - notes: >- -- Automation to restrict access and chroot services is not generally reliable. -+ Using automation to restrict access and chroot services is not generally reliable. - automated: no - - - id: R57 -@@ -974,7 +974,7 @@ controls: - The commands requiring the execution of sub-processes (EXEC tag) must be - explicitly listed and their use should be reduced to a strict minimum. - notes: >- -- Human review is required to assess if the commands requiring EXEC is minimal. -+ Human review is required to assess if the set of commands requiring EXEC is minimal. - An auxiliary rule could list rules containing EXEC tag, for analysis. - automated: no - - -From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 14 May 2021 11:41:30 +0200 -Subject: [PATCH 5/6] Update R1 notes and selected rule - ---- - controls/anssi.yml | 28 +++++++++---------- - .../package_xinetd_removed/rule.yml | 1 + - .../nis/package_ypbind_removed/rule.yml | 1 + - .../nis/package_ypserv_removed/rule.yml | 1 + - .../package_rsh-server_removed/rule.yml | 1 + - .../r_services/package_rsh_removed/rule.yml | 1 + - .../talk/package_talk-server_removed/rule.yml | 1 + - .../talk/package_talk_removed/rule.yml | 1 + - .../package_telnet-server_removed/rule.yml | 1 + - .../telnet/package_telnet_removed/rule.yml | 1 + - .../tftp/package_tftp-server_removed/rule.yml | 1 + - .../tftp/package_tftp_removed/rule.yml | 4 +++ - 13 files changed, 28 insertions(+), 15 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index 81d099e98b..ebee9c4259 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -19,25 +19,25 @@ controls: - Those whose presence can not be justified should be disabled, removed or deleted. - automated: partially # The list of essential services is not objective. - notes: >- -- Manual review is required to assess if the installed services are minimal. -- In general, use of obsolete or insecure services is not recommended. - Performing a minimal install is a good starting point, but doesn't provide any assurance - over any package installed later. -+ Manual review is required to assess if the installed services are minimal. -+ In general, use of obsolete or insecure services is not recommended and we remove some -+ of these in this recommendation. - rules: - - package_dhcp_removed -- #- package_rsh_removed -- #- package_rsh-server_removed -+ - package_rsh_removed -+ - package_rsh-server_removed - - package_sendmail_removed -- - package_telnetd_removed -- #- package_talk_removed -- #- package_talk-server_removed -- #- package_telnet_removed -- #- package_telnet-server_removed -- #- package_tftp_removed -- #- package_tftp-server_removed -- #- package_xinetd_removed -- #- package_ypbind_removed -- #- package_ypserv_removed -+ - package_talk_removed -+ - package_talk-server_removed -+ - package_telnet_removed -+ - package_telnet-server_removed -+# - package_tftp_removed -+ - package_tftp-server_removed -+ - package_xinetd_removed -+ - package_ypbind_removed -+ - package_ypserv_removed - - - id: R2 - level: intermediary -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -index e2431be9c5..9494025449 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -@@ -18,6 +18,7 @@ identifiers: - cce@rhel8: CCE-80850-1 - - references: -+ anssi: BP28(R1) - cis@rhel8: 2.1.1 - disa: CCI-000305 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index 97e27e2a4c..e836dc6fb1 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -24,6 +24,7 @@ identifiers: - cce@rhel8: CCE-82181-9 - - references: -+ anssi: BP28(R1) - cis@rhel7: 2.3.1 - cis@rhel8: 2.3.1 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index ac1d8e6f4c..7ca7a67e69 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -22,6 +22,7 @@ identifiers: - cce@rhel8: CCE-82432-6 - - references: -+ anssi: BP28(R1) - stigid@ol7: OL07-00-020010 - cis@rhel7: 2.2.16 - cis@rhel8: 2.2.17 -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -index 21f4d7bae6..33c36cde67 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -@@ -22,6 +22,7 @@ identifiers: - cce@rhel8: CCE-82184-3 - - references: -+ anssi: BP28(R1) - stigid@ol7: OL07-00-020000 - disa: CCI-000381 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -index c8f4673a3a..dbc6bd7329 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -@@ -23,6 +23,7 @@ identifiers: - cce@rhel8: CCE-82183-5 - - references: -+ anssi: BP28(R1) - cis@rhel7: 2.3.2 - cui: 3.1.13 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) -diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -index 12971558e9..e46e4f55d0 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -@@ -18,6 +18,7 @@ identifiers: - cce@rhel8: CCE-82180-1 - - references: -+ anssi: BP28(R1) - cis@rhel7: 2.2.18 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) - -diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -index 68e804ba38..24743fc2d6 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -@@ -23,6 +23,7 @@ identifiers: - cce@rhel8: CCE-80848-5 - - references: -+ anssi: BP28(R1) - cis@rhel7: 2.3.3 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) - -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -index 7bb5ed5da3..24cf50ff29 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -@@ -31,6 +31,7 @@ identifiers: - cce@sle15: CCE-83273-3 - - references: -+ anssi: BP28(R1) - stigid@ol7: OL07-00-021710 - cis@rhel7: 2.1.19 - disa: CCI-000381 -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -index 1b0128ec06..afef488734 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -@@ -21,6 +21,7 @@ identifiers: - cce@rhel8: CCE-80849-3 - - references: -+ anssi: BP28(R1) - cis@rhel7: 2.3.4 - cis@rhel8: 2.3.2 - cui: 3.1.13 -diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -index 3fcc8db4c8..ca25bb2124 100644 ---- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -@@ -22,6 +22,7 @@ identifiers: - cce@rhel8: CCE-82436-7 - - references: -+ anssi: BP28(R1) - stigid@ol7: OL07-00-040700 - disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 - nist: CM-7(a),CM-7(b),CM-6(a) -diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -index c3a501259c..0be9a60d38 100644 ---- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml -@@ -19,6 +19,10 @@ severity: low - - identifiers: - cce@rhel7: CCE-80443-5 -+ cce@rhel8: CCE-83590-0 -+ -+references: -+ anssi: BP28(R1) - - ocil: '{{{ describe_package_remove(package="tftp") }}}' - -From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 14 May 2021 11:43:32 +0200 -Subject: [PATCH 6/6] Update R5 notes and rule selection - -Note commented rules as related, and potentially useful. ---- - controls/anssi.yml | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index ebee9c4259..bba7148da9 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -88,20 +88,22 @@ controls: - automated: partially - notes: >- - Defense in-depth can be broadly divided into three areas - physical, technical and -- administrative. The security profile is best suitedto protect the technical area. -+ administrative. The security profile is best suited to protect the technical area. - Among the barriers that can be implemented within the technical area are antivirus software, - authentication, multi-factor authentication, encryption, logging, auditing, sandboxing, - intrusion detection systems, firewalls and vulnerability scanners. -+ The selection below is not in any way exaustive and should be adapted to the system's needs. - rules: -- #- package_audit_installed -- #- service_auditd_enabled - - sudo_remove_no_authenticate - - package_rsyslog_installed - - service_rsyslog_enabled -- #- package_ntp_installed -- #- package_firewalld_installed -- #- service_firewalld_enabled -- #- sssd_enable_smartcards -+ related_rules: -+ - package_audit_installed -+ - service_auditd_enabled -+ - package_ntp_installed -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - sssd_enable_smartcards - - - id: R6 - level: enhanced diff --git a/scap-security-guide-0.1.57-build-system-pr-7025.patch b/scap-security-guide-0.1.57-build-system-pr-7025.patch deleted file mode 100644 index fd69a4b..0000000 --- a/scap-security-guide-0.1.57-build-system-pr-7025.patch +++ /dev/null @@ -1,477 +0,0 @@ -From aae5be64cdeb4a41caa3f3273342373cc4f4e9b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 19 May 2021 18:01:14 +0200 -Subject: [PATCH 1/4] Add options for building Ansible and Bash content - -This patch adds 2 new options SSG_ANSIBLE_PLAYBOOKS_ENABLED and -SSG_BASH_SCRIPTS_ENABLED which will allow user to turn on or off -building and installing profile Bash remediation scripts and profile -Ansible Playbooks. They are enabled by default, therefore the default -behavior doesn't change, but people can turn them off to speed up the -build. These options can be useful when calling cmake in downstream spec -files. ---- - CMakeLists.txt | 4 +++ - cmake/SSGCommon.cmake | 60 +++++++++++++++++++++++-------------------- - 2 files changed, 36 insertions(+), 28 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 32a0ddd240a..c309efde9bd 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -46,6 +46,8 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali - option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) - option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) - option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) -+option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) -+option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) - option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) - option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) - set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") -@@ -240,6 +242,8 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA - message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") - message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") - message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}") -+message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}") -+message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}") - if (SSG_JINJA2_CACHE_ENABLED) - message(STATUS "jinja2 cache: enabled") - message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 889c0cf1d3c..9b109f86b9f 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -789,7 +789,7 @@ macro(ssg_build_product PRODUCT) - - add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") - -- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) - add_dependencies( - ${PRODUCT}-content - generate-${PRODUCT}-ansible-playbooks -@@ -803,7 +803,7 @@ macro(ssg_build_product PRODUCT) - add_dependencies(zipfile ${PRODUCT}-profile-playbooks) - endif() - -- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) - ssg_build_profile_bash_scripts(${PRODUCT}) - add_custom_target( - ${PRODUCT}-profile-bash-scripts -@@ -873,30 +873,34 @@ macro(ssg_build_product PRODUCT) - endif() - " - ) -- install( -- CODE " -- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n -- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- else() -- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- endif() -- " -- ) -- install( -- CODE " -- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n -- if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- else() -- file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- endif() -- " -- ) -+ if(SSG_ANSIBLE_PLAYBOOKS_ENABLED) -+ install( -+ CODE " -+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n -+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ else() -+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ endif() -+ " -+ ) -+ endif() -+ if(SSG_BASH_SCRIPTS_ENABLED) -+ install( -+ CODE " -+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n -+ if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ else() -+ file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ endif() -+ " -+ ) -+ endif() - - # grab all the kickstarts (if any) and install them - file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") -@@ -968,7 +972,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - - ssg_build_html_guides(${DERIVATIVE}) - -- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) - ssg_build_profile_bash_scripts(${DERIVATIVE}) - add_custom_target( - ${DERIVATIVE}-profile-bash-scripts -@@ -977,7 +981,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - add_dependencies(${DERIVATIVE} ${DERIVATIVE}-profile-bash-scripts) - endif() - -- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) - ssg_build_profile_playbooks(${DERIVATIVE}) - add_custom_target( - ${DERIVATIVE}-profile-playbooks - -From c7c7baa84ce722304224373c556a2d03edb0f76c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 20 May 2021 09:14:21 +0200 -Subject: [PATCH 2/4] Do not build HTML guide for the virtual default profile - -The virtual '(default)' profile is a profile that doesn't contain -any rules, so the built HTML guide also doesn't contain any rules -which means it contains only group descriptions. This HTML guide -has no use for the users and it only increases the built size. ---- - ssg/build_guides.py | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/ssg/build_guides.py b/ssg/build_guides.py -index 3b2a9469240..2e37d80eef3 100644 ---- a/ssg/build_guides.py -+++ b/ssg/build_guides.py -@@ -105,10 +105,6 @@ def get_benchmark_profile_pairs(input_tree, benchmarks): - for benchmark_id in benchmarks.keys(): - profiles = get_profile_choices_for_input(input_tree, benchmark_id, - None) -- -- # add the default profile -- profiles[""] = "(default)" -- - for profile_id in profiles: - pair = (benchmark_id, profile_id, profiles[profile_id]) - benchmark_profile_pairs.append(pair) - -From f2c265013dd5fe75fd47c8ce7afe9e2ecc7cf16f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 20 May 2021 09:49:51 +0200 -Subject: [PATCH 3/4] Add option to disable SCAP 1.2 data streams - -This commit adds a new option that enables to turn on building -the SCAP 1.2 source data streams (ssg-*-ds-1.2.xml). This option -will help people who don't want to build and ship this file. -The default setting is TRUE which means the default behavior -shouldn't change. ---- - CMakeLists.txt | 2 + - cmake/SSGCommon.cmake | 100 +++++++++++++++++++++++++++--------------- - 2 files changed, 67 insertions(+), 35 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index c309efde9bd..55b991cedfa 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -41,6 +41,7 @@ set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL - - set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}") - -+option(SSG_BUILD_SCAP_12_DS "If enabled, ssg-*-ds-1.2.xml will be built along with ssg-*-ds.xml" TRUE) - option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE) - option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE) - option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) -@@ -238,6 +239,7 @@ message(STATUS " ") - message(STATUS "Build options:") - message(STATUS "SSG vendor string: ${SSG_VENDOR}") - message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}") -+message(STATUS "Build SCAP 1.2 source data streams: ${SSG_BUILD_SCAP_12_DS}") - message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}") - message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") - message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 9b109f86b9f..412db46c687 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -555,7 +555,6 @@ macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -@@ -563,10 +562,8 @@ macro(ssg_build_sds PRODUCT) - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -578,22 +575,19 @@ macro(ssg_build_sds PRODUCT) - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" - DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" - ) - else() - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -603,14 +597,30 @@ macro(ssg_build_sds PRODUCT) - DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ ) -+ endif() -+ -+ if(SSG_BUILD_SCAP_12_DS) -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ add_custom_target( -+ generate-ssg-${PRODUCT}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ else() -+ add_custom_target( -+ generate-ssg-${PRODUCT}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) - endif() -- add_custom_target( -- generate-ssg-${PRODUCT}-ds.xml -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- ) - - if("${PRODUCT}" MATCHES "rhel(6|7|8|9)") - add_test( -@@ -626,10 +636,12 @@ macro(ssg_build_sds PRODUCT) - NAME "validate-ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) -- add_test( -- NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- ) -+ if(SSG_BUILD_SCAP_12_DS) -+ add_test( -+ NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ endif() - endif() - endmacro() - -@@ -640,7 +652,6 @@ macro(ssg_build_html_guides PRODUCT) - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build - DEPENDS generate-ssg-${PRODUCT}-ds.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml" - ) - add_custom_target( -@@ -854,8 +865,10 @@ macro(ssg_build_product PRODUCT) - install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DESTINATION "${SSG_CONTENT_INSTALL_DIR}") - -- install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ if(SSG_BUILD_SCAP_12_DS) -+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ endif() - - # This is a common cmake trick, we need the globbing to happen at build time - # and not configure time. -@@ -927,21 +940,34 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" - DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" -- COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml and ssg-${DERIVATIVE}-ds-1.2.xml" -- ) -- add_custom_target( -- generate-ssg-${DERIVATIVE}-ds.xml -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml" - ) -+ if (SSG_BUILD_SCAP_12_DS) -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -+ DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" -+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ add_custom_target( -+ generate-ssg-${DERIVATIVE}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ else() -+ add_custom_target( -+ generate-ssg-${DERIVATIVE}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -+ ) -+ endif() -+ - define_validate_product("${PRODUCT}") - if ("${VALIDATE_PRODUCT}" OR "${FORCE_VALIDATE_EVERYTHING}") - add_test( -@@ -952,10 +978,12 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - NAME "validate-ssg-${DERIVATIVE}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - ) -- add_test( -- NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- ) -+ if (SSG_BUILD_SCAP_12_DS) -+ add_test( -+ NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ endif() - endif() - - add_custom_target(${DERIVATIVE} ALL) -@@ -1004,8 +1032,10 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - DESTINATION "${SSG_CONTENT_INSTALL_DIR}") - -- install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ if(SSG_BUILD_SCAP_12_DS) -+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ endif() - - # This is a common cmake trick, we need the globbing to happen at build time - # and not configure time. - -From 466d3cb4dac4688e234a0fd0eff7fb6e6ae4c578 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 21 May 2021 09:50:25 +0200 -Subject: [PATCH 4/4] Add options for Bash and Ansible to build_product - -This will allow people to build easily without Bash scripts -or without Ansible Playbooks. ---- - build_product | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/build_product b/build_product -index cf84199e22e..8a186fbae0e 100755 ---- a/build_product -+++ b/build_product -@@ -7,6 +7,8 @@ - # ARG_OPTIONAL_SINGLE([jobs],[j],[Count of simultaneous jobs],[auto]) - # ARG_OPTIONAL_BOOLEAN([debug],[],[Make a debug build with draft profiles],[off]) - # ARG_OPTIONAL_BOOLEAN([derivatives],[],[Also build derivatives of products if applicable],[off]) -+# ARG_OPTIONAL_BOOLEAN([ansible-playbooks],[],[Build Ansible Playbooks for every profile],[on]) -+# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on]) - # ARG_OPTIONAL_BOOLEAN([datastream-only],[],[Build the datastream only. Do not build any of the guides, tables, etc],[off]) - # ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake]) - # ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL]) -@@ -71,19 +73,23 @@ _arg_builder="auto" - _arg_jobs="auto" - _arg_debug="off" - _arg_derivatives="off" -+_arg_ansible_playbooks="on" -+_arg_bash_scripts="on" - _arg_datastream_only="off" - - - print_help() - { - printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products." -- printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" -+ printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" - printf '\t%s\n' ": Products to build, ALL means all products (defaults for : 'ALL')" - printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')" - printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')" - printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')" - printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)" - printf '\t%s\n' "--derivatives, --no-derivatives: Also build derivatives of products if applicable (off by default)" -+ printf '\t%s\n' "--ansible-playbooks, --no-ansible-playbooks: Build Ansible Playbooks for every profile (on by default)" -+ printf '\t%s\n' "--bash-scripts, --no-bash-scripts: Build Bash remediation scripts for every profile (on by default)" - printf '\t%s\n' "--datastream-only, --no-datastream-only: Build the datastream only. Do not build any of the guides, tables, etc (off by default)" - printf '\t%s\n' "-h, --help: Prints help" - printf '\nEnvironment variables that are supported:\n' -@@ -140,6 +146,14 @@ parse_commandline() - _arg_derivatives="on" - test "${1:0:5}" = "--no-" && _arg_derivatives="off" - ;; -+ --no-ansible-playbooks|--ansible-playbooks) -+ _arg_ansible_playbooks="on" -+ test "${1:0:5}" = "--no-" && _arg_ansible_playbooks="off" -+ ;; -+ --no-bash-scripts|--bash-scripts) -+ _arg_bash_scripts="on" -+ test "${1:0:5}" = "--no-" && _arg_bash_scripts="off" -+ ;; - --no-datastream-only|--datastream-only) - _arg_datastream_only="on" - test "${1:0:5}" = "--no-" && _arg_datastream_only="off" -@@ -339,6 +353,12 @@ done - - CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator") - set_no_derivatives_options -+if [ "$_arg_ansible_playbooks" = off ] ; then -+ CMAKE_OPTIONS+=("-DSSG_ANSIBLE_PLAYBOOKS_ENABLED:BOOL=OFF") -+fi -+if [ "$_arg_bash_scripts" = off ] ; then -+ CMAKE_OPTIONS+=("-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF") -+fi - EXPLICIT_BUILD_TARGETS=() - set_explict_build_targets - diff --git a/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch b/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch deleted file mode 100644 index 595f26a..0000000 --- a/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 35c61f74925f99536595824b0e787254ed89c64f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 11:36:58 +0200 -Subject: [PATCH 1/3] Fix output declararation of command generating ds - -The custom command declares that it outputs the derivative 1.2 ds and -this causes the actual command that generates the derivative 1.2 not to -be run. ---- - cmake/SSGCommon.cmake | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 412db46c68..272b40ccf3 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -939,7 +939,6 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - -From 551c225accec34e55ac1f011fbd5db7755b5f9ed Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 14:46:26 +0200 -Subject: [PATCH 2/3] Fix order in which SCAP 1.2 and 1.3 are generated - -The data stream can be upgraded to 1.3, but not downgrated to 1.2. -Instead of chaining generation of DS version on each other, let's -generate a base ds from which SCAP 1.2 and 1.3 are generated. ---- - cmake/SSGCommon.cmake | 43 ++++++++++++++++++++++++------------------- - 1 file changed, 24 insertions(+), 19 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 272b40ccf3..977c3957d1 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -554,16 +554,14 @@ endmacro() - macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -575,19 +573,17 @@ macro(ssg_build_sds PRODUCT) - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" - DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" - ) - else() - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -597,17 +593,26 @@ macro(ssg_build_sds PRODUCT) - DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" - ) - endif() - -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" -+ ) -+ - if(SSG_BUILD_SCAP_12_DS) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" - ) - add_custom_target( - -From 97b1df0349c9c685cc07a0d3e3fd88385e0cd15d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 14:51:32 +0200 -Subject: [PATCH 3/3] Move product base ds to product dir - -The base ds is used to facilitate generation of SCAP 1.2 and SCAP 1.3 -data streams. -The base ds is an intermediary product and can be stored in the product -specific dir. ---- - cmake/SSGCommon.cmake | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 977c3957d1..111b2b32ed 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -554,14 +554,14 @@ endmacro() - macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -577,13 +577,13 @@ macro(ssg_build_sds PRODUCT) - ) - else() - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -600,9 +600,9 @@ macro(ssg_build_sds PRODUCT) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" - ) - -@@ -610,9 +610,9 @@ macro(ssg_build_sds PRODUCT) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" - ) - add_custom_target( diff --git a/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch b/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch deleted file mode 100644 index 47df298..0000000 --- a/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 7283a29c601c250f9809886860f89d4e673be577 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 24 May 2021 17:25:38 +0200 -Subject: [PATCH 1/6] Add option to enable installation of individual ansible - tasks per rule. - ---- - CMakeLists.txt | 1 + - cmake/SSGCommon.cmake | 14 ++++++++++++++ - 2 files changed, 15 insertions(+) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 55b991cedfa..13ddcf6aa7c 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -49,6 +49,7 @@ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the S - option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) - option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) - option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) -+option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE) - option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) - option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) - set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 412db46c687..e1480561ee1 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -914,6 +914,20 @@ macro(ssg_build_product PRODUCT) - " - ) - endif() -+ if(SSG_ANSIBLE_TASKS_ENABLED) -+ install( -+ CODE " -+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n -+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ else() -+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ endif() -+ " -+ ) -+ endif() - - # grab all the kickstarts (if any) and install them - file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") - -From 81f9051433bec735f0ce915290d465ba98401f86 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 25 May 2021 17:07:15 +0200 -Subject: [PATCH 2/6] Rename ansible per rule cmake option. - ---- - CMakeLists.txt | 2 +- - cmake/SSGCommon.cmake | 14 +++++++------- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 13ddcf6aa7c..04779b18cbc 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -48,8 +48,8 @@ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used - option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) - option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) - option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) -+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE) - option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) --option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE) - option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) - option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) - set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index e1480561ee1..b3710caafbf 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -914,16 +914,16 @@ macro(ssg_build_product PRODUCT) - " - ) - endif() -- if(SSG_ANSIBLE_TASKS_ENABLED) -+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) - install( - CODE " -- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n -- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" -- TYPE FILE FILES \${ROLE_FILES}) -+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n -+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" -+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) - else() -- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" -- TYPE FILE FILES \${ROLE_FILES}) -+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" -+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) - endif() - " - ) - -From 2f424af420f3520797780287812474a5f7c03f07 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 25 May 2021 17:07:22 +0200 -Subject: [PATCH 3/6] Guard build of playbooks per rule by a new CMake Option. - ---- - cmake/SSGCommon.cmake | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index b3710caafbf..04bdfe04bae 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -769,7 +769,7 @@ macro(ssg_build_product PRODUCT) - ssg_build_xccdf_unlinked(${PRODUCT}) - ssg_build_ocil_unlinked(${PRODUCT}) - ssg_build_remediations(${PRODUCT}) -- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) - ssg_build_ansible_playbooks(${PRODUCT}) - endif() - ssg_build_xccdf_with_remediations(${PRODUCT}) - -From 406a49b4c617499e538817579920b23fc81a09e6 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 25 May 2021 17:40:10 +0200 -Subject: [PATCH 4/6] Print message for CMake option enable ansible playbooks - per rule. - ---- - CMakeLists.txt | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 04779b18cbc..bba7dd60356 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -246,6 +246,7 @@ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VA - message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") - message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}") - message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}") -+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}") - message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}") - if (SSG_JINJA2_CACHE_ENABLED) - message(STATUS "jinja2 cache: enabled") - -From 5a185a653ba4f58bdfcee37bfd61812763a2f525 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 25 May 2021 17:40:42 +0200 -Subject: [PATCH 5/6] Fix path of gathered ansible playbooks per rule. - ---- - cmake/SSGCommon.cmake | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 04bdfe04bae..a382bb787b5 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -917,12 +917,12 @@ macro(ssg_build_product PRODUCT) - if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) - install( - CODE " -- file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n -- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" -+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n -+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\" - TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) - else() -- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" -+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\" - TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) - endif() - " - -From 8b99c9c2a50653b37f88b9eb3bc2b46ae3586be3 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 27 May 2021 15:55:20 +0200 -Subject: [PATCH 6/6] Move product dependency closer to declaration - -A dependency on rule playbooks target was being added from a -conditional branch related to profile playbooks. -It caused issues when building profile playbooks but not rule playbooks, -the rule playbooks target would not exist, but still be added as -dependency. - -Co-authored-by: Watson Sato ---- - cmake/SSGCommon.cmake | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index a382bb787b5..dc661cc2904 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -769,8 +769,13 @@ macro(ssg_build_product PRODUCT) - ssg_build_xccdf_unlinked(${PRODUCT}) - ssg_build_ocil_unlinked(${PRODUCT}) - ssg_build_remediations(${PRODUCT}) -+ - if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) - ssg_build_ansible_playbooks(${PRODUCT}) -+ add_dependencies( -+ ${PRODUCT}-content -+ generate-${PRODUCT}-ansible-playbooks -+ ) - endif() - ssg_build_xccdf_with_remediations(${PRODUCT}) - ssg_build_oval_unlinked(${PRODUCT}) -@@ -801,10 +806,6 @@ macro(ssg_build_product PRODUCT) - add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") - - if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) -- add_dependencies( -- ${PRODUCT}-content -- generate-${PRODUCT}-ansible-playbooks -- ) - ssg_build_profile_playbooks(${PRODUCT}) - add_custom_target( - ${PRODUCT}-profile-playbooks diff --git a/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch b/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch deleted file mode 100644 index 4f953b8..0000000 --- a/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch +++ /dev/null @@ -1,11207 +0,0 @@ -From 215db1bbe08fdaf1139f563abf9515e8a15a6457 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 10 Jun 2021 19:36:47 +0200 -Subject: [PATCH 1/4] Added RHEL9 profiles that are based on RHEL8 profiles. - -Unsupported rules are commented out. ---- - .../profiles/anssi_bp28_enhanced.profile | 16 + - .../rhel9/profiles/anssi_bp28_high.profile | 15 + - .../profiles/anssi_bp28_intermediary.profile | 15 + - .../rhel9/profiles/anssi_bp28_minimal.profile | 16 + - rhel9/profiles/cis.profile | 1088 +++++++++++++++++ - rhel9/profiles/cjis.profile | 139 +++ - rhel9/profiles/cui.profile | 32 + - rhel9/profiles/e8.profile | 149 +++ - rhel9/profiles/hipaa.profile | 164 +++ - rhel9/profiles/ism_o.profile | 134 ++ - rhel9/profiles/ospp-mls.profile | 25 + - rhel9/profiles/ospp.profile | 444 +++++++ - rhel9/profiles/pci-dss.profile | 134 +- - rhel9/profiles/rht-ccp.profile | 100 ++ - rhel9/profiles/standard.profile | 67 + - rhel9/profiles/stig.profile | 1069 ++++++++++++++++ - rhel9/profiles/stig_gui.profile | 36 + - 17 files changed, 3640 insertions(+), 3 deletions(-) - create mode 100644 rhel9/profiles/anssi_bp28_enhanced.profile - create mode 100644 rhel9/profiles/anssi_bp28_high.profile - create mode 100644 rhel9/profiles/anssi_bp28_intermediary.profile - create mode 100644 rhel9/profiles/anssi_bp28_minimal.profile - create mode 100644 rhel9/profiles/cis.profile - create mode 100644 rhel9/profiles/cjis.profile - create mode 100644 rhel9/profiles/cui.profile - create mode 100644 rhel9/profiles/e8.profile - create mode 100644 rhel9/profiles/hipaa.profile - create mode 100644 rhel9/profiles/ism_o.profile - create mode 100644 rhel9/profiles/ospp-mls.profile - create mode 100644 rhel9/profiles/ospp.profile - create mode 100644 rhel9/profiles/rht-ccp.profile - create mode 100644 rhel9/profiles/standard.profile - create mode 100644 rhel9/profiles/stig.profile - create mode 100644 rhel9/profiles/stig_gui.profile - -diff --git a/rhel9/profiles/anssi_bp28_enhanced.profile b/rhel9/profiles/anssi_bp28_enhanced.profile -new file mode 100644 -index 00000000000..bbc11353f3b ---- /dev/null -+++ b/rhel9/profiles/anssi_bp28_enhanced.profile -@@ -0,0 +1,16 @@ -+documentation_complete: true -+ -+title: 'ANSSI-BP-028 (enhanced)' -+ -+description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. -+ -+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. -+ -+ A copy of the ANSSI-BP-028 can be found at the ANSSI website: -+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ -+ -+selections: -+ - anssi:all:enhanced -+ - '!selinux_state' -diff --git a/rhel9/profiles/anssi_bp28_high.profile b/rhel9/profiles/anssi_bp28_high.profile -new file mode 100644 -index 00000000000..560460b55f7 ---- /dev/null -+++ b/rhel9/profiles/anssi_bp28_high.profile -@@ -0,0 +1,15 @@ -+documentation_complete: true -+ -+title: 'ANSSI-BP-028 (high)' -+ -+description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. -+ -+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. -+ -+ A copy of the ANSSI-BP-028 can be found at the ANSSI website: -+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ -+ -+selections: -+ - anssi:all:high -diff --git a/rhel9/profiles/anssi_bp28_intermediary.profile b/rhel9/profiles/anssi_bp28_intermediary.profile -new file mode 100644 -index 00000000000..a5920316735 ---- /dev/null -+++ b/rhel9/profiles/anssi_bp28_intermediary.profile -@@ -0,0 +1,15 @@ -+documentation_complete: true -+ -+title: 'ANSSI-BP-028 (intermediary)' -+ -+description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. -+ -+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. -+ -+ A copy of the ANSSI-BP-028 can be found at the ANSSI website: -+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ -+ -+selections: -+ - anssi:all:intermediary -diff --git a/rhel9/profiles/anssi_bp28_minimal.profile b/rhel9/profiles/anssi_bp28_minimal.profile -new file mode 100644 -index 00000000000..cef8394114d ---- /dev/null -+++ b/rhel9/profiles/anssi_bp28_minimal.profile -@@ -0,0 +1,16 @@ -+documentation_complete: true -+ -+title: 'ANSSI-BP-028 (minimal)' -+ -+description: |- -+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. -+ -+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. -+ -+ A copy of the ANSSI-BP-028 can be found at the ANSSI website: -+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ -+ -+selections: -+ - anssi:all:minimal -+ -diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile -new file mode 100644 -index 00000000000..8939011ad1f ---- /dev/null -+++ b/rhel9/profiles/cis.profile -@@ -0,0 +1,1088 @@ -+documentation_complete: true -+ -+metadata: -+ version: 1.0.0 -+ SMEs: -+ - vojtapolasek -+ - yuumasato -+ -+reference: https://www.cisecurity.org/benchmark/red_hat_linux/ -+ -+title: 'CIS Red Hat Enterprise Linux 8 Benchmark' -+ -+description: |- -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. -+ -+selections: -+ # Necessary for dconf rules -+# - dconf_db_up_to_date # not supported in RHEL9 ATM -+ -+ ### Partitioning -+ - mount_option_home_nodev -+ -+ ## 1.1 Filesystem Configuration -+ -+ ### 1.1.1 Disable unused filesystems -+ -+ #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) -+ - kernel_module_cramfs_disabled -+ -+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) -+ -+ -+ #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) -+ - kernel_module_squashfs_disabled -+ -+ #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) -+ - kernel_module_udf_disabled -+ -+ ### 1.1.2 Ensure /tmp is configured (Scored) -+ - partition_for_tmp -+ -+ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) -+ - mount_option_tmp_nodev -+ -+ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) -+ - mount_option_tmp_nosuid -+ -+ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) -+ - mount_option_tmp_noexec -+ -+ ### 1.1.6 Ensure separate partition exists for /var (Scored) -+ - partition_for_var -+ -+ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) -+ - partition_for_var_tmp -+ -+ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_nodev -+ -+ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_nosuid -+ -+ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_noexec -+ -+ ### 1.1.11 Ensure separate partition exists for /var/log (Scored) -+ - partition_for_var_log -+ -+ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) -+ - partition_for_var_log_audit -+ -+ ### 1.1.13 Ensure separate partition exists for /home (Scored) -+ - partition_for_home -+ -+ ### 1.1.14 Ensure nodev option set on /home partition (Scored) -+ - mount_option_home_nodev -+ -+ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_nodev -+ -+ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_nosuid -+ -+ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_noexec -+ -+ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) -+ - mount_option_nodev_removable_partitions -+ -+ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) -+ - mount_option_nosuid_removable_partitions -+ -+ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) -+ - mount_option_noexec_removable_partitions -+ -+ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) -+ - dir_perms_world_writable_sticky_bits -+ -+ ### 1.1.22 Disable Automounting (Scored) -+ - service_autofs_disabled -+ -+ ### 1.1.23 Disable USB Storage (Scored) -+ - kernel_module_usb-storage_disabled -+ -+ ## 1.2 Configure Software Updates -+ -+ ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 -+ -+ ### 1.2.2 Disable the rhnsd Daemon (Not Scored) -+ - service_rhnsd_disabled -+ -+ ### 1.2.3 Ensure GPG keys are configured (Not Scored) -+ - ensure_redhat_gpgkey_installed -+ -+ ### 1.2.4 Ensure gpgcheck is globally activated (Scored) -+ - ensure_gpgcheck_globally_activated -+ -+ ### 1.2.5 Ensure package manager repositories are configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 -+ -+ ## 1.3 Configure sudo -+ -+ ### 1.3.1 Ensure sudo is installed (Scored) -+ - package_sudo_installed -+ -+ ### 1.3.2 Ensure sudo commands use pty (Scored) -+ - sudo_add_use_pty -+ -+ ### 1.3.3 Ensure sudo log file exists (Scored) -+ - sudo_custom_logfile -+ -+ ## 1.4 Filesystem Integrity Checking -+ -+ ### 1.4.1 Ensure AIDE is installed (Scored) -+ - package_aide_installed -+ -+ ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) -+ - aide_periodic_cron_checking -+ -+ ## Secure Boot Settings -+ -+ ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) -+ #### chown root:root /boot/grub2/grub.cfg -+ - file_owner_grub2_cfg -+ - file_groupowner_grub2_cfg -+ -+ #### chmod og-rwx /boot/grub2/grub.cfg -+ - file_permissions_grub2_cfg -+ -+ #### chown root:root /boot/grub2/grubenv -+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 -+ -+ #### chmod og-rwx /boot/grub2/grubenv -+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 -+ -+ ### 1.5.2 Ensure bootloader password is set (Scored) -+ - grub2_password -+ -+ ### 1.5.3 Ensure authentication required for single user mode (Scored) -+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue -+ - require_singleuser_auth -+ -+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency -+ - require_emergency_target_auth -+ -+ ## 1.6 Additional Process Hardening -+ -+ ### 1.6.1 Ensure core dumps are restricted (Scored) -+ #### * hard core 0 -+ - disable_users_coredumps -+ -+ #### fs.suid_dumpable = 0 -+ - sysctl_fs_suid_dumpable -+ -+ #### ProcessSizeMax=0 -+# - coredump_disable_backtraces -+ -+ #### Storage=none -+# - coredump_disable_storage -+ -+ ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled -+ - sysctl_kernel_randomize_va_space -+ -+ ## 1.7 Mandatory Access Control -+ -+ ### 1.7.1 Configure SELinux -+ -+ #### 1.7.1.1 Ensure SELinux is installed (Scored) -+ - package_libselinux_installed -+ -+ #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) -+ - grub2_enable_selinux -+ -+ #### 1.7.1.3 Ensure SELinux policy is configured (Scored) -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) -+ - var_selinux_state=enforcing -+ - selinux_state -+ -+ #### 1.7.1.5 Ensure no unconfied services exist (Scored) -+ - selinux_confinement_of_daemons -+ -+ #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) -+ - package_setroubleshoot_removed -+ -+ #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) -+ - package_mcstrans_removed -+ -+ ## Warning Banners -+ -+ ### 1.8.1 Command Line Warning Baners -+ -+ #### 1.8.1.1 Ensure message of the day is configured properly (Scored) -+ - banner_etc_motd -+ -+ #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) -+ - banner_etc_issue -+ -+ #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 -+ -+ #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) -+ # chmod u-x,go-wx /etc/motd -+ - file_permissions_etc_motd -+ -+ #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) -+ # chmod u-x,go-wx /etc/issue -+ - file_permissions_etc_issue -+ -+ #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) -+ # Previously addressed via 'rpm_verify_permissions' rule -+ -+ ### 1.8.2 Ensure GDM login banner is configured (Scored) -+ #### banner-message-enable=true -+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM -+ -+ #### banner-message-text='' -+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM -+ -+ ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) -+ - security_patches_up_to_date -+ -+ ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) -+ - var_system_crypto_policy=future -+ - configure_crypto_policy -+ -+ ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) -+ # Previously addressed via 'configure_crypto_policy' rule -+ -+ # Services -+ -+ ## 2.1 inetd Services -+ -+ ### 2.1.1 Ensure xinetd is not installed (Scored) -+ - package_xinetd_removed -+ -+ ## 2.2 Special Purpose Services -+ -+ ### 2.2.1 Time Synchronization -+ -+ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) -+ - package_chrony_installed -+ -+ #### 2.2.1.2 Ensure chrony is configured (Scored) -+ - service_chronyd_enabled -+ - chronyd_specify_remote_server -+ - chronyd_run_as_chrony_user -+ -+ ### 2.2.2 Ensure X Window System is not installed (Scored) -+ - package_xorg-x11-server-common_removed -+ - xwindows_runlevel_target -+ -+ ### 2.2.3 Ensure rsync service is not enabled (Scored) -+ - service_rsyncd_disabled -+ -+ ### 2.2.4 Ensure Avahi Server is not enabled (Scored) -+ - service_avahi-daemon_disabled -+ -+ ### 2.2.5 Ensure SNMP Server is not enabled (Scored) -+ - service_snmpd_disabled -+ -+ ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) -+ - package_squid_removed -+ -+ ### 2.2.7 Ensure Samba is not enabled (Scored) -+ - service_smb_disabled -+ -+ ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) -+ - service_dovecot_disabled -+ -+ ### 2.2.9 Ensure HTTP server is not enabled (Scored) -+ - service_httpd_disabled -+ -+ ### 2.2.10 Ensure FTP Server is not enabled (Scored) -+ - service_vsftpd_disabled -+ -+ ### 2.2.11 Ensure DNS Server is not enabled (Scored) -+ - service_named_disabled -+ -+ ### 2.2.12 Ensure NFS is not enabled (Scored) -+ - service_nfs_disabled -+ -+ ### 2.2.13 Ensure RPC is not enabled (Scored) -+ - service_rpcbind_disabled -+ -+ ### 2.2.14 Ensure LDAP service is not enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 -+ -+ ### 2.2.15 Ensure DHCP Server is not enabled (Scored) -+ - service_dhcpd_disabled -+ -+ ### 2.2.16 Ensure CUPS is not enabled (Scored) -+ - service_cups_disabled -+ -+ ### 2.2.17 Ensure NIS Server is not enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 -+ -+ ### 2.2.18 Ensure mail transfer agent is configured for -+ ### local-only mode (Scored) -+ - postfix_network_listening_disabled -+ -+ ## 2.3 Service Clients -+ -+ ### 2.3.1 Ensure NIS Client is not installed (Scored) -+ - package_ypbind_removed -+ -+ ### 2.3.2 Ensure telnet client is not installed (Scored) -+ - package_telnet_removed -+ -+ ### Ensure LDAP client is not installed -+ - package_openldap-clients_removed -+ -+ # 3 Network Configuration -+ -+ ## 3.1 Network Parameters (Host Only) -+ -+ ### 3.1.1 Ensure IP forwarding is disabled (Scored) -+ #### net.ipv4.ip_forward = 0 -+ - sysctl_net_ipv4_ip_forward -+ -+ #### net.ipv6.conf.all.forwarding = 0 -+ - sysctl_net_ipv6_conf_all_forwarding -+ -+ ### 3.1.2 Ensure packet redirect sending is disabled (Scored) -+ #### net.ipv4.conf.all.send_redirects = 0 -+ - sysctl_net_ipv4_conf_all_send_redirects -+ -+ #### net.ipv4.conf.default.send_redirects = 0 -+ - sysctl_net_ipv4_conf_default_send_redirects -+ -+ ## 3.2 Network Parameters (Host and Router) -+ -+ ### 3.2.1 Ensure source routed packets are not accepted (Scored) -+ #### net.ipv4.conf.all.accept_source_route = 0 -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ -+ #### net.ipv4.conf.default.accept_source_route = 0 -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ -+ #### net.ipv6.conf.all.accept_source_route = 0 -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ -+ #### net.ipv6.conf.default.accept_source_route = 0 -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ -+ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) -+ #### net.ipv4.conf.all.accept_redirects = 0 -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ -+ #### net.ipv4.conf.default.accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ -+ #### net.ipv6.conf.all.accept_redirects = 0 -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ -+ #### net.ipv6.conf.defaults.accept_redirects = 0 -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ -+ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) -+ #### net.ipv4.conf.all.secure_redirects = 0 -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ -+ #### net.ipv4.cof.default.secure_redirects = 0 -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ -+ ### 3.2.4 Ensure suspicious packets are logged (Scored) -+ #### net.ipv4.conf.all.log_martians = 1 -+ - sysctl_net_ipv4_conf_all_log_martians -+ -+ #### net.ipv4.conf.default.log_martians = 1 -+ - sysctl_net_ipv4_conf_default_log_martians -+ -+ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ -+ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ -+ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) -+ #### net.ipv4.conf.all.rp_filter = 1 -+ - sysctl_net_ipv4_conf_all_rp_filter -+ -+ #### net.ipv4.conf.default.rp_filter = 1 -+ - sysctl_net_ipv4_conf_default_rp_filter -+ -+ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) -+ - sysctl_net_ipv4_tcp_syncookies -+ -+ ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) -+ #### net.ipv6.conf.all.accept_ra = 0 -+ - sysctl_net_ipv6_conf_all_accept_ra -+ -+ #### net.ipv6.conf.default.accept_ra = 0 -+ - sysctl_net_ipv6_conf_default_accept_ra -+ -+ ## 3.3 Uncommon Network Protocols -+ -+ ### 3.3.1 Ensure DCCP is disabled (Scored) -+ - kernel_module_dccp_disabled -+ -+ ### Ensure SCTP is disabled (Scored) -+ - kernel_module_sctp_disabled -+ -+ ### 3.3.3 Ensure RDS is disabled (Scored) -+ - kernel_module_rds_disabled -+ -+ ### 3.3.4 Ensure TIPC is disabled (Scored) -+ - kernel_module_tipc_disabled -+ -+ ## 3.4 Firewall Configuration -+ -+ ### 3.4.1 Ensure Firewall software is installed -+ -+ #### 3.4.1.1 Ensure a Firewall package is installed (Scored) -+ ##### firewalld -+ - package_firewalld_installed -+ -+ ##### nftables -+ #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 -+ -+ ##### iptables -+ #- package_iptables_installed -+ -+ ### 3.4.2 Configure firewalld -+ -+ #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) -+ - service_firewalld_enabled -+ -+ #### 3.4.2.2 Ensure iptables is not enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 -+ -+ #### 3.4.2.3 Ensure nftables is not enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 -+ -+ #### 3.4.2.4 Ensure default zone is set (Scored) -+ - set_firewalld_default_zone -+ -+ #### 3.4.2.5 Ensure network interfaces are assigned to -+ #### appropriate zone (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 -+ -+ #### 3.4.2.6 Ensure unnecessary services and ports are not -+ #### accepted (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 -+ -+ ### 3.4.3 Configure nftables -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 -+ -+ #### 3.4.3.1 Ensure iptables are flushed (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 -+ -+ #### 3.4.3.2 Ensure a table exists (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 -+ -+ #### 3.4.3.3 Ensure base chains exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 -+ -+ #### 3.4.3.4 Ensure loopback traffic is configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 -+ -+ #### 3.4.3.5 Ensure outbound and established connections are -+ #### configured (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 -+ -+ #### 3.4.3.6 Ensure default deny firewall policy (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 -+ -+ #### 3.4.3.7 Ensure nftables service is enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 -+ -+ #### 3.4.3.8 Ensure nftables rules are permanent (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 -+ -+ ### 3.4.4 Configure iptables -+ -+ #### 3.4.4.1 Configure IPv4 iptables -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 -+ -+ ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 -+ -+ ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 -+ -+ ##### 3.4.4.1.3 Ensure outbound and established connections are -+ ##### configured (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 -+ -+ ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 -+ -+ #### 3.4.4.2 Configure IPv6 ip6tables -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 -+ -+ ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 -+ -+ ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 -+ -+ ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are -+ ##### configured (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 -+ -+ ## 3.5 Ensure wireless interfaces are disabled (Scored) -+ - wireless_disable_interfaces -+ -+ ## 3.6 Disable IPv6 (Not Scored) -+ - kernel_module_ipv6_option_disabled -+ -+ # Logging and Auditing -+ -+ ## 4.1 Configure System Accounting (auditd) -+ -+ ### 4.1.1 Ensure auditing is enabled -+ -+ #### 4.1.1.1 Ensure auditd is installed (Scored) -+ - package_audit_installed -+ -+ #### 4.1.1.2 Ensure auditd service is enabled (Scored) -+ - service_auditd_enabled -+ -+ #### 4.1.1.3 Ensure auditing for processes that start prior to audit -+ #### is enabled (Scored) -+ - grub2_audit_argument -+ -+ #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) -+ - grub2_audit_backlog_limit_argument -+ -+ ### 4.1.2 Configure Data Retention -+ -+ #### 4.1.2.1 Ensure audit log storage size is configured (Scored) -+ - auditd_data_retention_max_log_file -+ -+ #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) -+ - auditd_data_retention_max_log_file_action -+ -+ #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) -+ - var_auditd_space_left_action=email -+ - auditd_data_retention_space_left_action -+ -+ ##### action_mail_acct = root -+ - var_auditd_action_mail_acct=root -+ - auditd_data_retention_action_mail_acct -+ -+ ##### admin_space_left_action = halt -+ - var_auditd_admin_space_left_action=halt -+ - auditd_data_retention_admin_space_left_action -+ -+ ### 4.1.3 Ensure changes to system administration scope -+ ### (sudoers) is collected (Scored) -+ - audit_rules_sysadmin_actions -+ -+ ### 4.1.4 Ensure login and logout events are collected (Scored) -+ - audit_rules_login_events_faillock -+ - audit_rules_login_events_lastlog -+ -+ ### 4.1.5 Ensure session initiation information is collected (Scored) -+ - audit_rules_session_events -+ -+ ### 4.1.6 Ensure events that modify date and time information -+ ### are collected (Scored) -+ #### adjtimex -+ - audit_rules_time_adjtimex -+ -+ #### settimeofday -+ - audit_rules_time_settimeofday -+ -+ #### stime -+ - audit_rules_time_stime -+ -+ #### clock_settime -+ - audit_rules_time_clock_settime -+ -+ #### -w /etc/localtime -p wa -+ - audit_rules_time_watch_localtime -+ -+ ### 4.1.7 Ensure events that modify the system's Mandatory -+ ### Access Control are collected (Scored) -+ #### -w /etc/selinux/ -p wa -+ - audit_rules_mac_modification -+ -+ #### -w /usr/share/selinux/ -p wa -+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 -+ -+ ### 4.1.8 Ensure events that modify the system's network -+ ### enironment are collected (Scored) -+ - audit_rules_networkconfig_modification -+ -+ ### 4.1.9 Ensure discretionary access control permission modification -+ ### events are collected (Scored) -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_fremovexattr -+ -+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are -+ ### collected (Scored) -+ - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_open -+ - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_unsuccessful_file_modification_ftruncate -+ # Opinionated selection -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ -+ ### 4.1.11 Ensure events that modify user/group information are -+ ### collected (Scored) -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_usergroup_modification_opasswd -+ -+ ### 4.1.12 Ensure successful file system mounts are collected (Scored) -+ - audit_rules_media_export -+ -+ ### 4.1.13 Ensure use of privileged commands is collected (Scored) -+ - audit_rules_privileged_commands -+ -+ ### 4.1.14 Ensure file deletion events by users are collected -+ ### (Scored) -+ - audit_rules_file_deletion_events_unlink -+ - audit_rules_file_deletion_events_unlinkat -+ - audit_rules_file_deletion_events_rename -+ - audit_rules_file_deletion_events_renameat -+ # Opinionated selection -+ - audit_rules_file_deletion_events_rmdir -+ -+ ### 4.1.15 Ensure kernel module loading and unloading is collected -+ ### (Scored) -+ - audit_rules_kernel_module_loading -+ -+ ### 4.1.16 Ensure system administrator actions (sudolog) are -+ ### collected (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 -+ -+ ### 4.1.17 Ensure the audit configuration is immutable (Scored) -+ - audit_rules_immutable -+ -+ ## 4.2 Configure Logging -+ -+ ### 4.2.1 Configure rsyslog -+ -+ #### 4.2.1.1 Ensure rsyslog is installed (Scored) -+ - package_rsyslog_installed -+ -+ #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) -+ - service_rsyslog_enabled -+ -+ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) -+ - rsyslog_files_permissions -+ -+ #### 4.2.1.4 Ensure logging is configured (Not Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 -+ -+ #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote -+ #### log host (Scored) -+ - rsyslog_remote_loghost -+ -+ #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on -+ #### designated log hosts (Not Scored) -+ - rsyslog_nolisten -+ -+ ### 4.2.2 Configure journald -+ -+ #### 4.2.2.1 Ensure journald is configured to send logs to -+ #### rsyslog (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 -+ -+ #### 4.2.2.2 Ensure journald is configured to compress large -+ #### log files (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 -+ -+ -+ #### 4.2.2.3 Ensure journald is configured to write logfiles to -+ #### persistent disk (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 -+ -+ ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 -+ -+ ## 4.3 Ensure logrotate is configured (Not Scored) -+ -+ # 5 Access, Authentication and Authorization -+ -+ ## 5.1 Configure cron -+ -+ ### 5.1.1 Ensure cron daemon is enabled (Scored) -+ - service_crond_enabled -+ -+ -+ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) -+ # chown root:root /etc/crontab -+ - file_owner_crontab -+ - file_groupowner_crontab -+ # chmod og-rwx /etc/crontab -+ - file_permissions_crontab -+ -+ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) -+ # chown root:root /etc/cron.hourly -+ - file_owner_cron_hourly -+ - file_groupowner_cron_hourly -+ # chmod og-rwx /etc/cron.hourly -+ - file_permissions_cron_hourly -+ -+ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) -+ # chown root:root /etc/cron.daily -+ - file_owner_cron_daily -+ - file_groupowner_cron_daily -+ # chmod og-rwx /etc/cron.daily -+ - file_permissions_cron_daily -+ -+ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) -+ # chown root:root /etc/cron.weekly -+ - file_owner_cron_weekly -+ - file_groupowner_cron_weekly -+ # chmod og-rwx /etc/cron.weekly -+ - file_permissions_cron_weekly -+ -+ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) -+ # chown root:root /etc/cron.monthly -+ - file_owner_cron_monthly -+ - file_groupowner_cron_monthly -+ # chmod og-rwx /etc/cron.monthly -+ - file_permissions_cron_monthly -+ -+ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) -+ # chown root:root /etc/cron.d -+ - file_owner_cron_d -+ - file_groupowner_cron_d -+ # chmod og-rwx /etc/cron.d -+ - file_permissions_cron_d -+ -+ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) -+ -+ -+ ## 5.2 SSH Server Configuration -+ -+ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) -+ # chown root:root /etc/ssh/sshd_config -+ - file_owner_sshd_config -+ - file_groupowner_sshd_config -+ -+ # chmod og-rwx /etc/ssh/sshd_config -+ - file_permissions_sshd_config -+ -+ ### 5.2.2 Ensure SSH access is limited (Scored) -+ -+ -+ ### 5.2.3 Ensure permissions on SSH private host key files are -+ ### configured (Scored) -+ # TO DO: The rule sets to 640, but benchmark wants 600 -+ - file_permissions_sshd_private_key -+ # TO DO: check owner of private keys in /etc/ssh is root:root -+ -+ ### 5.2.4 Ensure permissions on SSH public host key files are configured -+ ### (Scored) -+ - file_permissions_sshd_pub_key -+ # TO DO: check owner of pub keys in /etc/ssh is root:root -+ -+ ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) -+ - sshd_set_loglevel_info -+ -+ ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) -+ - sshd_disable_x11_forwarding -+ -+ ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) -+ - sshd_max_auth_tries_value=4 -+ - sshd_set_max_auth_tries -+ -+ ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) -+ - sshd_disable_rhosts -+ -+ ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) -+ - disable_host_auth -+ -+ ### 5.2.10 Ensure SSH root login is disabled (Scored) -+ - sshd_disable_root_login -+ -+ ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) -+ - sshd_disable_empty_passwords -+ -+ ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) -+ - sshd_do_not_permit_user_env -+ -+ ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) -+ # ClientAliveInterval 300 -+ - sshd_idle_timeout_value=5_minutes -+ - sshd_set_idle_timeout -+ -+ # ClientAliveCountMax 0 -+ - var_sshd_set_keepalive=0 -+ -+ ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute -+ ### or less (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 -+ -+ ### 5.2.15 Ensure SSH warning banner is configured (Scored) -+ - sshd_enable_warning_banner -+ -+ ### 5.2.16 Ensure SSH PAM is enabled (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 -+ -+ ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) -+ - sshd_disable_tcp_forwarding -+ -+ ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 -+ -+ ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) -+ - sshd_set_max_sessions -+ - var_sshd_max_sessions=4 -+ -+ ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) -+ - configure_ssh_crypto_policy -+ -+ ## 5.3 Configure authselect -+ -+ -+ ### 5.3.1 Create custom authselectet profile (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 -+ -+ ### 5.3.2 Select authselect profile (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 -+ -+ ### 5.3.3 Ensure authselect includes with-faillock (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 -+ -+ ## 5.4 Configure PAM -+ -+ ### 5.4.1 Ensure password creation requirements are configured (Scored) -+ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 -+ - accounts_password_pam_retry -+ - var_password_pam_minlen=14 -+ - accounts_password_pam_minlen -+ - var_password_pam_minclass=4 -+ - accounts_password_pam_minclass -+ -+ ### 5.4.2 Ensure lockout for failed password attempts is -+ ### configured (Scored) -+ - var_accounts_passwords_pam_faillock_unlock_time=900 -+ - var_accounts_passwords_pam_faillock_deny=5 -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_deny -+ -+ ### 5.4.3 Ensure password reuse is limited (Scored) -+ - var_password_pam_unix_remember=5 -+ - accounts_password_pam_unix_remember -+ -+ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) -+ - set_password_hashing_algorithm_systemauth -+ -+ ## 5.5 User Accounts and Environment -+ -+ ### 5.5.1 Set Shadow Password Suite Parameters -+ -+ #### 5.5.1 Ensure password expiration is 365 days or less (Scored) -+ - var_accounts_maximum_age_login_defs=365 -+ - accounts_maximum_age_login_defs -+ -+ #### 5.5.1.2 Ensure minimum days between password changes is 7 -+ #### or more (Scored) -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_minimum_age_login_defs -+ -+ #### 5.5.1.3 Ensure password expiration warning days is -+ #### 7 or more (Scored) -+ - var_accounts_password_warn_age_login_defs=7 -+ - accounts_password_warn_age_login_defs -+ -+ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) -+ # TODO: Rule doesn't check list of users -+ # https://github.com/ComplianceAsCode/content/issues/5536 -+ - var_account_disable_post_pw_expiration=30 -+ - account_disable_post_pw_expiration -+ -+ #### 5.5.1.5 Ensure all users last password change date is -+ #### in the past (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 -+ -+ ### 5.5.2 Ensure system accounts are secured (Scored) -+ - no_shelllogin_for_systemaccounts -+ -+ ### 5.5.3 Ensure default user shell timeout is 900 seconds -+ ### or less (Scored) -+ - var_accounts_tmout=15_min -+ - accounts_tmout -+ -+ ### 5.5.4 Ensure default group for the root account is -+ ### GID 0 (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 -+ -+ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) -+ - var_accounts_user_umask=027 -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_profile -+ -+ ## 5.6 Ensure root login is restricted to system console (Not Scored) -+ - securetty_root_login_console_only -+ - no_direct_root_logins -+ -+ ## 5.7 Ensure access to the su command is restricted (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 -+ -+ # System Maintenance -+ -+ ## 6.1 System File Permissions -+ -+ ### 6.1.1 Audit system file permissions (Not Scored) -+ - rpm_verify_permissions -+ - rpm_verify_ownership -+ -+ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) -+ # chown root:root /etc/passwd -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ -+ # chmod 644 /etc/passwd -+ - file_permissions_etc_passwd -+ -+ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) -+ # chown root:root /etc/shadow -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ -+ # chmod o-rwx,g-wx /etc/shadow -+ - file_permissions_etc_shadow -+ -+ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) -+ # chown root:root /etc/group -+ - file_owner_etc_group -+ - file_groupowner_etc_group -+ -+ # chmod 644 /etc/group -+ - file_permissions_etc_group -+ -+ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) -+ # chown root:root /etc/gshadow -+ - file_owner_etc_gshadow -+ - file_groupowner_etc_gshadow -+ -+ # chmod o-rwx,g-rw /etc/gshadow -+ - file_permissions_etc_gshadow -+ -+ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) -+ # chown root:root /etc/passwd- -+ - file_owner_backup_etc_passwd -+ - file_groupowner_backup_etc_passwd -+ -+ # chmod 644 /etc/passwd- -+ - file_permissions_backup_etc_passwd -+ -+ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) -+ # chown root:root /etc/shadow- -+ - file_owner_backup_etc_shadow -+ - file_groupowner_backup_etc_shadow -+ -+ # chmod 0000 /etc/shadow- -+ - file_permissions_backup_etc_shadow -+ -+ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) -+ # chown root:root /etc/group- -+ - file_owner_backup_etc_group -+ - file_groupowner_backup_etc_group -+ -+ # chmod 644 /etc/group- -+ - file_permissions_backup_etc_group -+ -+ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) -+ # chown root:root /etc/gshadow- -+ - file_owner_backup_etc_gshadow -+ - file_groupowner_backup_etc_gshadow -+ -+ # chmod 0000 /etc/gshadow- -+ - file_permissions_backup_etc_gshadow -+ -+ ### 6.1.10 Ensure no world writable files exist (Scored) -+ - file_permissions_unauthorized_world_writable -+ -+ ### 6.1.11 Ensure no unowned files or directories exist (Scored) -+ - no_files_unowned_by_user -+ -+ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) -+ - file_permissions_ungroupowned -+ -+ ### 6.1.13 Audit SUID executables (Not Scored) -+ - file_permissions_unauthorized_suid -+ -+ ### 6.1.14 Audit SGID executables (Not Scored) -+ - file_permissions_unauthorized_sgid -+ -+ ## 6.2 User and Group Settings -+ -+ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) -+ - no_legacy_plus_entries_etc_passwd -+ -+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) -+ - no_legacy_plus_entries_etc_shadow -+ -+ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) -+ - no_legacy_plus_entries_etc_group -+ -+ ### 6.2.6 Ensure root is the only UID 0 account (Scored) -+ - accounts_no_uid_except_zero -+ -+ ### 6.2.7 Ensure users' home directories permissions are 750 -+ ### or more restrictive (Scored) -+ - file_permissions_home_dirs -+ -+ ### 6.2.8 Ensure users own their home directories (Scored) -+ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 -+ - file_groupownership_home_directories -+ -+ ### 6.2.9 Ensure users' dot files are not group or world -+ ### writable (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 -+ -+ ### 6.2.10 Ensure no users have .forward files (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 -+ -+ ### 6.2.11 Ensure no users have .netrc files (Scored) -+ - no_netrc_files -+ -+ ### 6.2.12 Ensure users' .netrc Files are not group or -+ ### world accessible (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 -+ -+ ### 6.2.13 Ensure no users have .rhosts files (Scored) -+ - no_rsh_trust_files -+ -+ ### 6.2.14 Ensure all groups in /etc/passwd exist in -+ ### /etc/group (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 -+ -+ ### 6.2.15 Ensure no duplicate UIDs exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 -+ -+ ### 6.2.16 Ensure no duplicate GIDs exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 -+ -+ ### 6.2.17 Ensure no duplicate user names exist (Scored) -+ - account_unique_name -+ -+ ### 6.2.18 Ensure no duplicate group names exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 -+ -+ ### 6.2.19 Ensure shadow group is empty (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 -+ -+ ### 6.2.20 Ensure all users' home directories exist (Scored) -+ - accounts_user_interactive_home_directory_exists -diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile -new file mode 100644 -index 00000000000..1fc531952b6 ---- /dev/null -+++ b/rhel9/profiles/cjis.profile -@@ -0,0 +1,139 @@ -+documentation_complete: true -+ -+metadata: -+ version: 5.4 -+ SMEs: -+ - carlosmmatos -+ -+reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center -+ -+title: 'Criminal Justice Information Services (CJIS) Security Policy' -+ -+description: |- -+ This profile is derived from FBI's CJIS v5.4 -+ Security Policy. A copy of this policy can be found at the CJIS Security -+ Policy Resource Center: -+ -+ https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center -+ -+selections: -+ - service_auditd_enabled -+ - grub2_audit_argument -+ - auditd_data_retention_num_logs -+ - auditd_data_retention_max_log_file -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_space_left_action -+ - auditd_data_retention_admin_space_left_action -+ - auditd_data_retention_action_mail_acct -+ - auditd_audispd_syslog_plugin_activated -+ - audit_rules_time_adjtimex -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_usergroup_modification -+ - audit_rules_networkconfig_modification -+ - file_permissions_var_log_audit -+ - file_ownership_var_log_audit -+ - audit_rules_mac_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_fremovexattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_login_events -+ - audit_rules_session_events -+ - audit_rules_unsuccessful_file_modification -+ - audit_rules_privileged_commands -+ - audit_rules_media_export -+ - audit_rules_file_deletion_events -+ - audit_rules_sysadmin_actions -+ - audit_rules_kernel_module_loading -+ - audit_rules_immutable -+ - account_unique_name -+ - gid_passwd_group_same -+ - accounts_password_all_shadowed -+ - no_empty_passwords -+ - display_login_attempts -+ - var_accounts_password_minlen_login_defs=12 -+ - var_accounts_maximum_age_login_defs=90 -+ - var_password_pam_unix_remember=10 -+ - var_account_disable_post_pw_expiration=0 -+ - var_password_pam_minlen=12 -+ - var_accounts_minimum_age_login_defs=1 -+ - var_password_pam_difok=6 -+ - var_accounts_max_concurrent_login_sessions=3 -+ - account_disable_post_pw_expiration -+ - accounts_password_pam_minlen -+ - accounts_minimum_age_login_defs -+ - accounts_password_pam_difok -+ - accounts_max_concurrent_login_sessions -+ - set_password_hashing_algorithm_systemauth -+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM -+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_permissions_etc_shadow -+ - file_owner_etc_group -+ - file_groupowner_etc_group -+ - file_permissions_etc_group -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ - file_permissions_etc_passwd -+ - file_owner_grub2_cfg -+ - file_groupowner_grub2_cfg -+ - var_password_pam_retry=5 -+ - var_accounts_passwords_pam_faillock_deny=5 -+ - var_accounts_passwords_pam_faillock_unlock_time=600 -+# - dconf_db_up_to_date # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM -+ - sshd_allow_only_protocol2 -+ - sshd_set_idle_timeout -+ - var_sshd_set_keepalive=0 -+ - disable_host_auth -+ - sshd_disable_root_login -+ - sshd_disable_empty_passwords -+ - sshd_enable_warning_banner -+ - sshd_do_not_permit_user_env -+ - var_system_crypto_policy=fips -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -+ - kernel_module_dccp_disabled -+ - kernel_module_sctp_disabled -+ - service_firewalld_enabled -+ - set_firewalld_default_zone -+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM -+ - sshd_idle_timeout_value=30_minutes -+ - inactivity_timeout_value=30_minutes -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv4_tcp_syncookies -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - var_password_pam_ocredit=1 -+ - var_password_pam_dcredit=1 -+ - var_password_pam_ucredit=1 -+ - var_password_pam_lcredit=1 -+ - package_aide_installed -+ - aide_build_database -+ - aide_periodic_cron_checking -+ - rpm_verify_permissions -+ - rpm_verify_hashes -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_never_disabled -+ - security_patches_up_to_date -+ - kernel_module_bluetooth_disabled -diff --git a/rhel9/profiles/cui.profile b/rhel9/profiles/cui.profile -new file mode 100644 -index 00000000000..bf6d9511c17 ---- /dev/null -+++ b/rhel9/profiles/cui.profile -@@ -0,0 +1,32 @@ -+documentation_complete: true -+ -+metadata: -+ version: TBD -+ SMEs: -+ - carlosmmatos -+ -+title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' -+ -+description: |- -+ From NIST 800-171, Section 2.2: -+ Security requirements for protecting the confidentiality of CUI in nonfederal -+ information systems and organizations have a well-defined structure that -+ consists of: -+ -+ (i) a basic security requirements section; -+ (ii) a derived security requirements section. -+ -+ The basic security requirements are obtained from FIPS Publication 200, which -+ provides the high-level and fundamental security requirements for federal -+ information and information systems. The derived security requirements, which -+ supplement the basic security requirements, are taken from the security controls -+ in NIST Special Publication 800-53. -+ -+ This profile configures Red Hat Enterprise Linux 8 to the NIST Special -+ Publication 800-53 controls identified for securing Controlled Unclassified -+ Information (CUI)." -+ -+extends: ospp -+ -+selections: -+ - inactivity_timeout_value=10_minutes -diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile -new file mode 100644 -index 00000000000..30eb9c594ac ---- /dev/null -+++ b/rhel9/profiles/e8.profile -@@ -0,0 +1,149 @@ -+documentation_complete: true -+ -+metadata: -+ SMEs: -+ - shaneboulden -+ -+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers -+ -+title: 'Australian Cyber Security Centre (ACSC) Essential Eight' -+ -+description: |- -+ This profile contains configuration checks for Red Hat Enterprise Linux 8 -+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. -+ -+ A copy of the Essential Eight in Linux Environments guide can be found at the -+ ACSC website: -+ -+ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers -+ -+selections: -+ -+ ### Remove obsolete packages -+ - package_talk_removed -+ - package_talk-server_removed -+ - package_xinetd_removed -+ - service_xinetd_disabled -+ - package_ypbind_removed -+ - package_telnet_removed -+ - service_telnet_disabled -+ - package_telnet-server_removed -+ - package_rsh_removed -+ - package_rsh-server_removed -+ - service_zebra_disabled -+ - package_quagga_removed -+ - service_avahi-daemon_disabled -+ - package_squid_removed -+ - service_squid_disabled -+ -+ ### Software update -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_local_packages -+ - ensure_gpgcheck_globally_activated -+ - security_patches_up_to_date -+ - dnf-automatic_security_updates_only -+ -+ ### System security settings -+ - sysctl_kernel_randomize_va_space -+ - sysctl_kernel_exec_shield -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_kexec_load_disabled -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_unprivileged_bpf_disabled -+ - sysctl_net_core_bpf_jit_harden -+ -+ ### SELinux -+ - var_selinux_state=enforcing -+ - selinux_state -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ ### Filesystem integrity -+ - rpm_verify_hashes -+ - rpm_verify_permissions -+ - rpm_verify_ownership -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_world_writable -+ - dir_perms_world_writable_sticky_bits -+ - file_permissions_library_dirs -+ - file_ownership_binary_dirs -+ - file_permissions_binary_dirs -+ - file_ownership_library_dirs -+ -+ ### Passwords -+ - no_empty_passwords -+ -+ ### Partitioning -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_nosuid -+ - mount_option_dev_shm_noexec -+ -+ ### Network -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - network_sniffer_disabled -+ -+ ### Admin privileges -+ - accounts_no_uid_except_zero -+ - sudo_remove_nopasswd -+ - sudo_remove_no_authenticate -+ - sudo_require_authentication -+ -+ ### Audit -+ - package_rsyslog_installed -+ - service_rsyslog_enabled -+ - service_auditd_enabled -+ - var_auditd_flush=incremental_async -+ - auditd_data_retention_flush -+ - auditd_local_events -+ - auditd_write_logs -+ - auditd_log_format -+ - auditd_freq -+ - auditd_name_format -+ - audit_rules_login_events_tallylog -+ - audit_rules_login_events_faillock -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events -+ - audit_rules_time_adjtimex -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_execution_restorecon -+ - audit_rules_execution_chcon -+ - audit_rules_execution_semanage -+ - audit_rules_execution_setsebool -+ - audit_rules_execution_setfiles -+ - audit_rules_execution_seunshare -+ - audit_rules_sysadmin_actions -+ - audit_rules_networkconfig_modification -+ - audit_rules_usergroup_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_kernel_module_loading -+ -+ ### Secure access -+ - sshd_disable_root_login -+ - sshd_disable_gssapi_auth -+ - sshd_print_last_log -+ - sshd_do_not_permit_user_env -+ - sshd_disable_rhosts -+ - sshd_set_loglevel_info -+ - sshd_disable_empty_passwords -+ - sshd_disable_user_known_hosts -+ - sshd_enable_strictmodes -+ -+ # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms -+ - var_system_crypto_policy=default_nosha1 -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -+ -+ ### Application whitelisting -+ - package_fapolicyd_installed -+ - service_fapolicyd_enabled -+ -+ ### Backup -+ - package_rear_installed -diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile -new file mode 100644 -index 00000000000..7919649d4d5 ---- /dev/null -+++ b/rhel9/profiles/hipaa.profile -@@ -0,0 +1,164 @@ -+documentation_complete: True -+ -+metadata: -+ SMEs: -+ - jjaswanson4 -+ - carlosmmatos -+ -+reference: https://www.hhs.gov/hipaa/for-professionals/index.html -+ -+title: 'Health Insurance Portability and Accountability Act (HIPAA)' -+ -+description: |- -+ The HIPAA Security Rule establishes U.S. national standards to protect individuals’ -+ electronic personal health information that is created, received, used, or -+ maintained by a covered entity. The Security Rule requires appropriate -+ administrative, physical and technical safeguards to ensure the -+ confidentiality, integrity, and security of electronic protected health -+ information. -+ -+ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security -+ Rule identified for securing of electronic protected health information. -+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). -+ -+selections: -+ - grub2_password -+# - grub2_uefi_password # not supported in RHEL9 ATM -+ - file_groupowner_grub2_cfg -+ - file_permissions_grub2_cfg -+ - file_owner_grub2_cfg -+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM -+ - no_direct_root_logins -+ - no_empty_passwords -+ - require_singleuser_auth -+ - restrict_serial_port_logins -+ - securetty_root_login_console_only -+# - service_debug-shell_disabled # not supported in RHEL9 ATM -+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM -+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM -+# - dconf_db_up_to_date # not supported in RHEL9 ATM -+# - dconf_gnome_remote_access_credential_prompt # not supported in RHEL9 ATM -+# - dconf_gnome_remote_access_encryption # not supported in RHEL9 ATM -+ - sshd_disable_empty_passwords -+ - sshd_disable_root_login -+# - libreswan_approved_tunnels # not supported in RHEL9 ATM -+ - no_rsh_trust_files -+ - package_rsh-server_removed -+ - package_talk_removed -+ - package_talk-server_removed -+ - package_telnet_removed -+ - package_telnet-server_removed -+ - package_xinetd_removed -+ - service_crond_enabled -+# - service_rexec_disabled # not supported in RHEL9 ATM -+# - service_rlogin_disabled # not supported in RHEL9 ATM -+ - service_telnet_disabled -+ - service_xinetd_disabled -+ - service_zebra_disabled -+# - use_kerberos_security_all_exports # not supported in RHEL9 ATM -+ - disable_host_auth -+ - sshd_allow_only_protocol2 -+ - sshd_disable_compression -+ - sshd_disable_gssapi_auth -+ - sshd_disable_kerb_auth -+ - sshd_do_not_permit_user_env -+ - sshd_enable_strictmodes -+ - sshd_enable_warning_banner -+ - var_sshd_set_keepalive=0 -+ - encrypt_partitions -+ - var_system_crypto_policy=fips -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -+ - var_selinux_policy_name=targeted -+ - var_selinux_state=enforcing -+ - grub2_enable_selinux -+ - sebool_selinuxuser_execheap -+ - sebool_selinuxuser_execmod -+ - sebool_selinuxuser_execstack -+ - selinux_confinement_of_daemons -+ - selinux_policytype -+ - selinux_state -+ - service_kdump_disabled -+ - sysctl_fs_suid_dumpable -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_exec_shield -+ - sysctl_kernel_randomize_va_space -+ - rpm_verify_hashes -+ - rpm_verify_permissions -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_local_packages -+ - grub2_audit_argument -+ - service_auditd_enabled -+ - audit_rules_privileged_commands_sudo -+ - audit_rules_privileged_commands_su -+ - audit_rules_immutable -+ - kernel_module_usb-storage_disabled -+ - service_autofs_disabled -+ - auditd_audispd_syslog_plugin_activated -+ - rsyslog_remote_loghost -+ - auditd_data_retention_flush -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fremovexattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_execution_chcon -+ - audit_rules_execution_restorecon -+ - audit_rules_execution_semanage -+ - audit_rules_execution_setsebool -+ - audit_rules_file_deletion_events_renameat -+ - audit_rules_file_deletion_events_rename -+ - audit_rules_file_deletion_events_rmdir -+ - audit_rules_file_deletion_events_unlinkat -+ - audit_rules_file_deletion_events_unlink -+ - audit_rules_kernel_module_loading_delete -+ - audit_rules_kernel_module_loading_init -+ - audit_rules_login_events_faillock -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events_tallylog -+ - audit_rules_mac_modification -+ - audit_rules_media_export -+ - audit_rules_networkconfig_modification -+ - audit_rules_privileged_commands_chage -+ - audit_rules_privileged_commands_chsh -+ - audit_rules_privileged_commands_crontab -+ - audit_rules_privileged_commands_gpasswd -+ - audit_rules_privileged_commands_newgrp -+ - audit_rules_privileged_commands_pam_timestamp_check -+ - audit_rules_privileged_commands_passwd -+ - audit_rules_privileged_commands_postdrop -+ - audit_rules_privileged_commands_postqueue -+ - audit_rules_privileged_commands_ssh_keysign -+ - audit_rules_privileged_commands_sudoedit -+ - audit_rules_privileged_commands_umount -+ - audit_rules_privileged_commands_unix_chkpwd -+ - audit_rules_privileged_commands_userhelper -+ - audit_rules_session_events -+ - audit_rules_sysadmin_actions -+ - audit_rules_system_shutdown -+ - audit_rules_time_adjtimex -+ - audit_rules_time_clock_settime -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_time_watch_localtime -+ - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_ftruncate -+ - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ - audit_rules_unsuccessful_file_modification_open -+ - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_opasswd -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_shadow -diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile -new file mode 100644 -index 00000000000..592be03783f ---- /dev/null -+++ b/rhel9/profiles/ism_o.profile -@@ -0,0 +1,134 @@ -+documentation_complete: true -+ -+metadata: -+ SMEs: -+ - shaneboulden -+ - wcushen -+ - ahamilto156 -+ -+reference: https://www.cyber.gov.au/ism -+ -+title: 'Australian Cyber Security Centre (ACSC) ISM Official' -+ -+description: |- -+ This profile contains configuration checks for Red Hat Enterprise Linux 8 -+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) -+ with the applicability marking of OFFICIAL. -+ -+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning -+ Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls -+ specific to an organisation's security posture and risk profile. -+ -+ A copy of the ISM can be found at the ACSC website: -+ -+ https://www.cyber.gov.au/ism -+ -+extends: e8 -+ -+selections: -+ -+ ## Operating system configuration -+ ## Identifiers 1491 -+ - no_shelllogin_for_systemaccounts -+ -+ ## Local administrator accounts -+ ## Identifiers 1382 / 1410 -+ - accounts_password_all_shadowed -+ - package_sudo_installed -+ -+ ## Content filtering & Anti virus -+ ## Identifiers 0576 / 1341 / 1034 / 1417 / 1288 -+ - package_aide_installed -+ -+ ## Software firewall -+ ## Identifiers 1416 -+# - configure_firewalld_ports # not supported in RHEL9 ATM -+ ## Removing due to build error -+ ## - configure_firewalld_rate_limiting -+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM -+ - set_firewalld_default_zone -+ -+ ## Endpoint device control software -+ ## Identifiers 1418 -+ - package_usbguard_installed -+ - service_usbguard_enabled -+ -+ ## Authentication hardening -+ ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 -+ ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431 -+ - sshd_max_auth_tries_value=5 -+ - disable_host_auth -+ - require_emergency_target_auth -+ - require_singleuser_auth -+ - sshd_disable_kerb_auth -+ - sshd_set_max_auth_tries -+ -+ ## Password authentication & Protecting credentials -+ ## Identifiers 0421 / 0431 / 0418 / 1402 -+ - var_password_pam_minlen=14 -+ - var_accounts_password_warn_age_login_defs=7 -+ - var_accounts_minimum_age_login_defs=1 -+ - var_accounts_maximum_age_login_defs=60 -+ - accounts_password_warn_age_login_defs -+ - accounts_maximum_age_login_defs -+ - accounts_minimum_age_login_defs -+ - accounts_passwords_pam_faillock_interval -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_deny -+ - accounts_passwords_pam_faillock_deny_root -+ - accounts_password_pam_minlen -+ -+ ## Centralised logging facility -+ ## Identifiers 1405 / 0988 -+ - rsyslog_cron_logging -+ - rsyslog_files_groupownership -+ - rsyslog_files_ownership -+ - rsyslog_files_permissions -+ - rsyslog_nolisten -+ - rsyslog_remote_loghost -+ - rsyslog_remote_tls -+ - rsyslog_remote_tls_cacert -+ - package_chrony_installed -+ - service_chronyd_enabled -+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM -+ - chronyd_specify_remote_server -+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM -+ -+ ## Events to be logged -+ ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957 -+ - display_login_attempts -+ - sebool_auditadm_exec_content -+ - audit_rules_privileged_commands -+ - audit_rules_session_events -+ - audit_rules_unsuccessful_file_modification -+ - audit_access_failed -+ - audit_access_success -+ -+ ## Web application & Database servers -+ ## Identifiers 1552 / 1277 -+# - openssl_use_strong_entropy # not supported in RHEL9 ATM -+ -+ ## Network design and configuration -+ ## Identifiers 1055 / 1311 -+# - network_nmcli_permissions # not supported in RHEL9 ATM -+ - service_snmpd_disabled -+# - snmpd_use_newer_protocol # not supported in RHEL9 ATM -+ -+ ## Wireless networks -+ ## Identifiers 1315 -+ - wireless_disable_interfaces -+ -+ ## ASD Approved Cryptographic Algorithms -+ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 / -+ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 / -+ ## 1372 / 1373 / 1374 / 1375 -+# - enable_fips_mode # not supported in RHEL9 ATM -+ - var_system_crypto_policy=fips -+ - configure_crypto_policy -+ -+ ## Secure Shell access -+ ## Identifiers 0484 / 1506 / 1449 / 0487 -+ - sshd_allow_only_protocol2 -+ - sshd_enable_warning_banner -+ - sshd_disable_x11_forwarding -+ - file_permissions_sshd_private_key -diff --git a/rhel9/profiles/ospp-mls.profile b/rhel9/profiles/ospp-mls.profile -new file mode 100644 -index 00000000000..d1d1b8aff73 ---- /dev/null -+++ b/rhel9/profiles/ospp-mls.profile -@@ -0,0 +1,25 @@ -+documentation_complete: false -+ -+title: 'Protection Profile for General Purpose Operating Systems - MLS Mode' -+ -+description: |- -+ Placeholder to put MLS specific rules -+ -+extends: ospp -+ -+selections: -+ -+ ################################################ -+ ## MUST INSTALL PACKAGES IN MLS MODE -+ #cups -+ #foomatic -+ #ghostscript -+ #ghostscript-fonts -+ #checkpolicy -+ #mcstrans -+ #policycoreutils-newrole -+ #selinux-policy-devel -+ ##xinetd -+ #iproute -+ #iputils -+ #netlabel_tools -diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile -new file mode 100644 -index 00000000000..c4a43dc5eb6 ---- /dev/null -+++ b/rhel9/profiles/ospp.profile -@@ -0,0 +1,444 @@ -+documentation_complete: true -+ -+metadata: -+ version: 4.2.1 -+ SMEs: -+ - comps -+ - carlosmmatos -+ - stevegrubb -+ -+reference: https://www.niap-ccevs.org/Profile/PP.cfm -+ -+title: 'Protection Profile for General Purpose Operating Systems' -+ -+description: |- -+ This profile reflects mandatory configuration controls identified in the -+ NIAP Configuration Annex to the Protection Profile for General Purpose -+ Operating Systems (Protection Profile Version 4.2.1). -+ -+ This configuration profile is consistent with CNSSI-1253, which requires -+ U.S. National Security Systems to adhere to certain configuration -+ parameters. Accordingly, this configuration profile is suitable for -+ use in U.S. National Security Systems. -+ -+selections: -+ -+ ####################################################### -+ ### GENERAL REQUIREMENTS -+ ### Things needed to meet OSPP functional requirements. -+ ####################################################### -+ -+ ### Partitioning -+ - mount_option_home_nodev -+ - mount_option_home_nosuid -+ - mount_option_tmp_nodev -+ - mount_option_tmp_noexec -+ - mount_option_tmp_nosuid -+ - partition_for_var_tmp -+ - mount_option_var_tmp_nodev -+ - mount_option_var_tmp_noexec -+ - mount_option_var_tmp_nosuid -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_noexec -+ - mount_option_dev_shm_nosuid -+ - mount_option_nodev_nonroot_local_partitions -+ - mount_option_boot_nodev -+ - mount_option_boot_nosuid -+ - partition_for_home -+ - partition_for_var -+ - mount_option_var_nodev -+ - partition_for_var_log -+ - mount_option_var_log_nodev -+ - mount_option_var_log_nosuid -+ - mount_option_var_log_noexec -+ - partition_for_var_log_audit -+ - mount_option_var_log_audit_nodev -+ - mount_option_var_log_audit_nosuid -+ - mount_option_var_log_audit_noexec -+ -+ ### Services -+ # sshd -+ - sshd_disable_root_login -+ - sshd_enable_strictmodes -+ - disable_host_auth -+ - sshd_disable_empty_passwords -+ - sshd_disable_kerb_auth -+ - sshd_disable_gssapi_auth -+ - var_sshd_set_keepalive=0 -+ - sshd_enable_warning_banner -+ - sshd_rekey_limit -+ - var_rekey_limit_size=1G -+ - var_rekey_limit_time=1hour -+# - sshd_use_strong_rng # not supported in RHEL9 ATM -+# - openssl_use_strong_entropy # not supported in RHEL9 ATM -+ -+ # Time Server -+# - chronyd_client_only # not supported in RHEL9 ATM -+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM -+ -+ ### Network Settings -+ - sysctl_net_ipv6_conf_all_accept_ra -+ - sysctl_net_ipv6_conf_default_accept_ra -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv4_tcp_syncookies -+ -+ ### systemd -+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM -+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM -+# - service_debug-shell_disabled # not supported in RHEL9 ATM -+ -+ ### umask -+ - var_accounts_user_umask=027 -+ - accounts_umask_etc_profile -+ - accounts_umask_etc_bashrc -+# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM -+ -+ ### Software update -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_local_packages -+ - ensure_gpgcheck_never_disabled -+ -+ ### Passwords -+ - var_password_pam_difok=4 -+ - accounts_password_pam_difok -+ - var_password_pam_maxrepeat=3 -+ - accounts_password_pam_maxrepeat -+ - var_password_pam_maxclassrepeat=4 -+ - accounts_password_pam_maxclassrepeat -+ -+ ### Kernel Config -+ ## Boot prompt -+ - grub2_audit_argument -+ - grub2_audit_backlog_limit_argument -+ - grub2_slub_debug_argument -+ - grub2_page_poison_argument -+ - grub2_vsyscall_argument -+ - grub2_vsyscall_argument.role=unscored -+ - grub2_vsyscall_argument.severity=info -+ - grub2_pti_argument -+ - grub2_kernel_trust_cpu_rng -+ -+ ## Security Settings -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_kexec_load_disabled -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_perf_event_paranoid -+ - sysctl_user_max_user_namespaces -+ - sysctl_user_max_user_namespaces.role=unscored -+ - sysctl_user_max_user_namespaces.severity=info -+ - sysctl_kernel_unprivileged_bpf_disabled -+ - sysctl_net_core_bpf_jit_harden -+ - service_kdump_disabled -+ -+ ## File System Settings -+ - sysctl_fs_protected_hardlinks -+ - sysctl_fs_protected_symlinks -+ -+ ### Audit -+ - service_auditd_enabled -+ - var_auditd_flush=incremental_async -+ - auditd_data_retention_flush -+ - auditd_local_events -+ - auditd_write_logs -+ - auditd_log_format -+ - auditd_freq -+ - auditd_name_format -+ -+ ### Module Blacklist -+ - kernel_module_cramfs_disabled -+ - kernel_module_bluetooth_disabled -+ - kernel_module_sctp_disabled -+ - kernel_module_firewire-core_disabled -+ - kernel_module_atm_disabled -+ - kernel_module_can_disabled -+ - kernel_module_tipc_disabled -+ -+ ### rpcbind -+ -+ ### Install Required Packages -+ - package_aide_installed -+ - package_dnf-automatic_installed -+ - package_subscription-manager_installed -+# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM -+ - package_firewalld_installed -+ - package_openscap-scanner_installed -+ - package_policycoreutils_installed -+ - package_sudo_installed -+ - package_usbguard_installed -+ - package_scap-security-guide_installed -+ - package_audit_installed -+ - package_crypto-policies_installed -+ - package_openssh-server_installed -+ - package_openssh-clients_installed -+ - package_policycoreutils-python-utils_installed -+ - package_rsyslog_installed -+ - package_rsyslog-gnutls_installed -+ - package_audispd-plugins_installed -+ - package_chrony_installed -+ - package_gnutls-utils_installed -+ -+ ### Remove Prohibited Packages -+ - package_sendmail_removed -+ - package_iprutils_removed -+ - package_gssproxy_removed -+ - package_nfs-utils_removed -+ - package_krb5-workstation_removed -+ - package_abrt-addon-kerneloops_removed -+ - package_abrt-addon-python_removed -+ - package_abrt-addon-ccpp_removed -+ - package_abrt-plugin-rhtsupport_removed -+ - package_abrt-plugin-logger_removed -+ - package_abrt-plugin-sosreport_removed -+ - package_abrt-cli_removed -+ - package_abrt_removed -+ -+ ### Login -+ - disable_users_coredumps -+ - sysctl_kernel_core_pattern -+# - coredump_disable_storage -+# - coredump_disable_backtraces -+ - service_systemd-coredump_disabled -+ - var_accounts_max_concurrent_login_sessions=10 -+ - accounts_max_concurrent_login_sessions -+ - securetty_root_login_console_only -+ - var_password_pam_unix_remember=5 -+ - accounts_password_pam_unix_remember -+# - use_pam_wheel_for_su # not supported in RHEL9 ATM -+ -+ ### SELinux Configuration -+ - var_selinux_state=enforcing -+ - selinux_state -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ ### Application Whitelisting (RHEL 9) -+ - package_fapolicyd_installed -+ - service_fapolicyd_enabled -+ -+ ### Configure USBGuard -+ - service_usbguard_enabled -+ - configure_usbguard_auditbackend -+ - usbguard_allow_hid_and_hub -+ -+ -+ ### Enable / Configure FIPS -+# - enable_fips_mode # not supported in RHEL9 ATM -+ - var_system_crypto_policy=fips_ospp -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -+ - configure_bind_crypto_policy -+ - configure_openssl_crypto_policy -+ - configure_libreswan_crypto_policy -+ - configure_kerberos_crypto_policy -+# - enable_dracut_fips_module # not supported in RHEL9 ATM -+ -+ ####################################################### -+ ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE -+ ### FOR GENERAL PURPOSE OPERATING SYSTEMS -+ ### ANNEX RELEASE 1 -+ ### FOR PROTECTION PROFILE VERSIONS 4.2 -+ ### -+ ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/ -+ ####################################################### -+ -+ ## Configure Minimum Password Length to 12 Characters -+ ## IA-5 (1)(a) / FMT_MOF_EXT.1 -+ - var_accounts_password_minlen_login_defs=12 -+ - accounts_password_minlen_login_defs -+ - var_password_pam_minlen=12 -+ - accounts_password_pam_minlen -+ -+ ## Require at Least 1 Special Character in Password -+ ## IA-5(1)(a) / FMT_MOF_EXT.1 -+ - var_password_pam_ocredit=1 -+ - accounts_password_pam_ocredit -+ -+ ## Require at Least 1 Numeric Character in Password -+ ## IA-5(1)(a) / FMT_MOF_EXT.1 -+ - var_password_pam_dcredit=1 -+ - accounts_password_pam_dcredit -+ -+ ## Require at Least 1 Uppercase Character in Password -+ ## IA-5(1)(a) / FMT_MOF_EXT.1 -+ - var_password_pam_ucredit=1 -+ - accounts_password_pam_ucredit -+ -+ ## Require at Least 1 Lowercase Character in Password -+ ## IA-5(1)(a) / FMT_MOF_EXT.1 -+ - var_password_pam_lcredit=1 -+ - accounts_password_pam_lcredit -+ -+ ## Enable Screen Lock -+ ## FMT_MOF_EXT.1 -+ - package_tmux_installed -+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM -+# - no_tmux_in_shells # not supported in RHEL9 ATM -+# - configure_tmux_lock_command # not supported in RHEL9 ATM -+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM -+ -+ ## Set Screen Lock Timeout Period to 30 Minutes or Less -+ ## AC-11(a) / FMT_MOF_EXT.1 -+ ## We deliberately set sshd timeout to 1 minute before tmux lock timeout -+ - sshd_idle_timeout_value=14_minutes -+ - sshd_set_idle_timeout -+ -+ ## Disable Unauthenticated Login (such as Guest Accounts) -+ ## FIA_UAU.1 -+ - require_singleuser_auth -+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM -+# - grub2_uefi_password # not supported in RHEL9 ATM -+ - no_empty_passwords -+ -+ ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes -+ ## AC-7 / FIA_AFL.1 -+ - var_accounts_passwords_pam_faillock_deny=3 -+ - accounts_passwords_pam_faillock_deny -+ - var_accounts_passwords_pam_faillock_fail_interval=900 -+ - accounts_passwords_pam_faillock_interval -+ - var_accounts_passwords_pam_faillock_unlock_time=never -+ - accounts_passwords_pam_faillock_unlock_time -+ -+ ## Enable Host-Based Firewall -+ ## SC-7(12) / FMT_MOF_EXT.1 -+ - service_firewalld_enabled -+ -+ ## Configure Name/Addres of Remote Management Server -+ ## From Which to Receive Config Settings -+ ## CM-3(3) / FMT_MOF_EXT.1 -+ -+ ## Configure the System to Offload Audit Records to a Log -+ ## Server -+ ## AU-4(1) / FAU_GEN.1.1.c -+ # temporarily dropped -+ -+ ## Set Logon Warning Banner -+ ## AC-8(a) / FMT_MOF_EXT.1 -+ -+ ## Audit All Logons (Success/Failure) and Logoffs (Success) -+ ## CNSSI 1253 Value or DoD-Specific Values: -+ ## (1) Logons (Success/Failure) -+ ## (2) Logoffs (Success) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ -+ ## Audit File and Object Events (Unsuccessful) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## (1) Create (Success/Failure) -+ ## (2) Access (Success/Failure) -+ ## (3) Delete (Sucess/Failure) -+ ## (4) Modify (Success/Failure) -+ ## (5) Permission Modification (Sucess/Failure) -+ ## (6) Ownership Modification (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ ## -+ ## -+ ## (1) Create (Success/Failure) -+ ## (open with O_CREAT) -+ ## (2) Access (Success/Failure) -+ ## (3) Delete (Success/Failure) -+ ## (4) Modify (Success/Failure) -+ ## (5) Permission Modification (Success/Failure) -+ ## (6) Ownership Modification (Success/Failure) -+ -+ ## Audit User and Group Management Events (Success/Failure) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## (1) User add, delete, modify, disable, enable (Success/Failure) -+ ## (2) Group/Role add, delete, modify (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ ## -+ ## Generic User and Group Management Events (Success/Failure) -+ ## Selection of setuid programs that relate to -+ ## user accounts. -+ ## -+ ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure) -+ ## -+ ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure) -+ ## -+ ## Audit Privilege or Role Escalation Events (Success/Failure) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## - Privilege/Role escalation (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ ## Audit All Audit and Log Data Accesses (Success/Failure) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## - Audit and log data access (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ ## Audit Cryptographic Verification of Software (Success/Failure) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, -+ ## etc) initialization (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ ## Audit Kernel Module Loading and Unloading Events (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c -+ - audit_basic_configuration -+ - audit_immutable_login_uids -+ - audit_create_failed -+ - audit_create_success -+ - audit_modify_failed -+ - audit_modify_success -+ - audit_access_failed -+ - audit_access_success -+ - audit_delete_failed -+ - audit_delete_success -+ - audit_perm_change_failed -+ - audit_perm_change_success -+ - audit_owner_change_failed -+ - audit_owner_change_success -+ - audit_ospp_general -+ - audit_module_load -+ -+ ## Enable Automatic Software Updates -+ ## SI-2 / FMT_MOF_EXT.1 -+ # Configure dnf-automatic to Install Only Security Updates -+ - dnf-automatic_security_updates_only -+ -+ # Configure dnf-automatic to Install Available Updates Automatically -+ - dnf-automatic_apply_updates -+ -+ # Enable dnf-automatic Timer -+ - timer_dnf-automatic_enabled -+ -+ # Configure TLS for remote logging -+ - rsyslog_remote_tls -+ - rsyslog_remote_tls_cacert -+ -+ # Prevent Kerberos use by system daemons -+ - kerberos_disable_no_keytab -+ -+ # set ssh client rekey limit -+# - ssh_client_rekey_limit # not supported in RHEL9 ATM -+ - var_ssh_client_rekey_limit_size=1G -+ - var_ssh_client_rekey_limit_time=1hour -+ -+# configure ssh client to use strong entropy -+# - ssh_client_use_strong_rng_sh # not supported in RHEL9 ATM -+# - ssh_client_use_strong_rng_csh # not supported in RHEL9 ATM -+ -+ # zIPl specific rules -+ - zipl_bls_entries_only -+ - zipl_bootmap_is_up_to_date -+ - zipl_audit_argument -+ - zipl_audit_backlog_limit_argument -+ - zipl_slub_debug_argument -+ - zipl_page_poison_argument -+ - zipl_vsyscall_argument -+ - zipl_vsyscall_argument.role=unscored -+ - zipl_vsyscall_argument.severity=info -diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile -index 3ad218b5a0d..966b2d5e1d8 100644 ---- a/rhel9/profiles/pci-dss.profile -+++ b/rhel9/profiles/pci-dss.profile -@@ -6,14 +6,142 @@ metadata: - - reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - --title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9' -+title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' - - description: |- - Ensures PCI-DSS v3.2.1 security configuration settings are applied. - - selections: -- # selections are empty because almost no rules are applicable for RHEL9 -- - package_rsyslog_installed -+ - var_password_pam_unix_remember=4 -+ - var_account_disable_post_pw_expiration=90 -+ - var_accounts_passwords_pam_faillock_deny=6 -+ - var_accounts_passwords_pam_faillock_unlock_time=1800 -+ - sshd_idle_timeout_value=15_minutes -+ - var_password_pam_minlen=7 -+ - var_password_pam_minclass=2 -+ - var_accounts_maximum_age_login_defs=90 -+ - var_auditd_num_logs=5 -+ - service_auditd_enabled -+ - grub2_audit_argument -+ - auditd_data_retention_num_logs -+ - auditd_data_retention_max_log_file -+ - auditd_data_retention_max_log_file_action -+ - auditd_data_retention_space_left_action -+ - auditd_data_retention_admin_space_left_action -+ - auditd_data_retention_action_mail_acct -+ - package_audispd-plugins_installed -+ - auditd_audispd_syslog_plugin_activated -+ - audit_rules_time_adjtimex -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_opasswd -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_networkconfig_modification -+ - file_permissions_var_log_audit -+ - file_ownership_var_log_audit -+ - audit_rules_mac_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_fremovexattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_login_events -+ - audit_rules_session_events -+ - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_ftruncate -+ - audit_rules_unsuccessful_file_modification_open -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_privileged_commands -+ - audit_rules_media_export -+ - audit_rules_file_deletion_events_rename -+ - audit_rules_file_deletion_events_renameat -+ - audit_rules_file_deletion_events_rmdir -+ - audit_rules_file_deletion_events_unlink -+ - audit_rules_file_deletion_events_unlinkat -+ - audit_rules_sysadmin_actions -+ - audit_rules_kernel_module_loading_delete -+ - audit_rules_kernel_module_loading_finit -+ - audit_rules_kernel_module_loading_init -+ - audit_rules_immutable -+ - var_multiple_time_servers=rhel -+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM -+# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM -+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM -+ - rpm_verify_permissions -+ - rpm_verify_hashes -+# - install_hids # not supported in RHEL9 ATM - - rsyslog_files_permissions - - rsyslog_files_ownership - - rsyslog_files_groupownership -+ - ensure_logrotate_activated -+ - package_aide_installed -+ - aide_build_database -+ - aide_periodic_cron_checking -+ - account_unique_name -+ - gid_passwd_group_same -+ - accounts_password_all_shadowed -+ - no_empty_passwords -+ - display_login_attempts -+ - account_disable_post_pw_expiration -+ - accounts_passwords_pam_faillock_deny -+ - accounts_passwords_pam_faillock_unlock_time -+# - dconf_db_up_to_date # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM -+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM -+ - sshd_set_idle_timeout -+ - var_sshd_set_keepalive=0 -+ - accounts_password_pam_minlen -+ - accounts_password_pam_dcredit -+ - accounts_password_pam_ucredit -+ - accounts_password_pam_lcredit -+ - accounts_password_pam_unix_remember -+ - accounts_maximum_age_login_defs -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_never_disabled -+ - security_patches_up_to_date -+ - package_opensc_installed -+ - var_smartcard_drivers=cac -+# - configure_opensc_card_drivers # not supported in RHEL9 ATM -+# - force_opensc_card_drivers # not supported in RHEL9 ATM -+# - package_pcsc-lite_installed # not supported in RHEL9 ATM -+# - service_pcscd_enabled # not supported in RHEL9 ATM -+# - sssd_enable_smartcards # not supported in RHEL9 ATM -+ - set_password_hashing_algorithm_systemauth -+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM -+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_permissions_etc_shadow -+ - file_owner_etc_group -+ - file_groupowner_etc_group -+ - file_permissions_etc_group -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ - file_permissions_etc_passwd -+ - file_owner_grub2_cfg -+ - file_groupowner_grub2_cfg -+ - package_libreswan_installed -+ - configure_crypto_policy -+ - configure_bind_crypto_policy -+ - configure_openssl_crypto_policy -+ - configure_libreswan_crypto_policy -+ - configure_ssh_crypto_policy -+ - configure_kerberos_crypto_policy -diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile -new file mode 100644 -index 00000000000..3b734c2b2c5 ---- /dev/null -+++ b/rhel9/profiles/rht-ccp.profile -@@ -0,0 +1,100 @@ -+documentation_complete: true -+ -+title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' -+ -+description: |- -+ This profile contains the minimum security relevant -+ configuration settings recommended by Red Hat, Inc for -+ Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified -+ Cloud Providers. -+ -+selections: -+ - var_selinux_state=enforcing -+ - var_selinux_policy_name=targeted -+ - file_owner_logfiles_value=root -+ - file_groupowner_logfiles_value=root -+ - sshd_idle_timeout_value=5_minutes -+ - var_accounts_password_minlen_login_defs=6 -+ - var_accounts_minimum_age_login_defs=7 -+ - var_accounts_passwords_pam_faillock_deny=5 -+ - var_accounts_password_warn_age_login_defs=7 -+ - var_password_pam_retry=3 -+ - var_password_pam_dcredit=1 -+ - var_password_pam_ucredit=2 -+ - var_password_pam_ocredit=2 -+ - var_password_pam_lcredit=2 -+ - var_password_pam_difok=3 -+ - var_password_pam_unix_remember=5 -+ - var_accounts_user_umask=077 -+ - login_banner_text=usgcb_default -+ - partition_for_tmp -+ - partition_for_var -+ - partition_for_var_log -+ - partition_for_var_log_audit -+ - selinux_state -+ - selinux_policytype -+ - ensure_redhat_gpgkey_installed -+ - security_patches_up_to_date -+ - ensure_gpgcheck_globally_activated -+ - ensure_gpgcheck_never_disabled -+ - package_aide_installed -+ - accounts_password_pam_unix_remember -+ - no_shelllogin_for_systemaccounts -+ - no_empty_passwords -+ - accounts_password_all_shadowed -+ - accounts_no_uid_except_zero -+ - accounts_password_minlen_login_defs -+ - accounts_minimum_age_login_defs -+ - accounts_password_warn_age_login_defs -+ - accounts_password_pam_retry -+ - accounts_password_pam_dcredit -+ - accounts_password_pam_ucredit -+ - accounts_password_pam_ocredit -+ - accounts_password_pam_lcredit -+ - accounts_password_pam_difok -+ - accounts_passwords_pam_faillock_deny -+ - set_password_hashing_algorithm_systemauth -+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM -+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM -+ - require_singleuser_auth -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_permissions_etc_shadow -+ - file_owner_etc_gshadow -+ - file_groupowner_etc_gshadow -+ - file_permissions_etc_gshadow -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ - file_permissions_etc_passwd -+ - file_owner_etc_group -+ - file_groupowner_etc_group -+ - file_permissions_etc_group -+ - file_permissions_library_dirs -+ - file_ownership_library_dirs -+ - file_permissions_binary_dirs -+ - file_ownership_binary_dirs -+ - file_permissions_var_log_audit -+ - file_owner_grub2_cfg -+ - file_groupowner_grub2_cfg -+ - file_permissions_grub2_cfg -+ - grub2_password -+ - kernel_module_dccp_disabled -+ - kernel_module_sctp_disabled -+ - service_firewalld_enabled -+ - set_firewalld_default_zone -+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM -+ - service_abrtd_disabled -+ - service_telnet_disabled -+ - package_telnet-server_removed -+ - package_telnet_removed -+ - sshd_allow_only_protocol2 -+ - sshd_set_idle_timeout -+ - var_sshd_set_keepalive=0 -+ - disable_host_auth -+ - sshd_disable_root_login -+ - sshd_disable_empty_passwords -+ - sshd_enable_warning_banner -+ - sshd_do_not_permit_user_env -+ - var_system_crypto_policy=fips -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile -new file mode 100644 -index 00000000000..a63ae2cf328 ---- /dev/null -+++ b/rhel9/profiles/standard.profile -@@ -0,0 +1,67 @@ -+documentation_complete: true -+ -+title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -+ -+description: |- -+ This profile contains rules to ensure standard security baseline -+ of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload -+ all of these checks should pass. -+ -+selections: -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_globally_activated -+ - rpm_verify_permissions -+ - rpm_verify_hashes -+ - security_patches_up_to_date -+ - no_empty_passwords -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_world_writable -+ - accounts_root_path_dirs_no_write -+ - dir_perms_world_writable_sticky_bits -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_nosuid -+ - partition_for_var_log -+ - partition_for_var_log_audit -+ - package_rsyslog_installed -+ - service_rsyslog_enabled -+ - audit_rules_time_adjtimex -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_usergroup_modification -+ - audit_rules_networkconfig_modification -+ - audit_rules_mac_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_fremovexattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_unsuccessful_file_modification -+ - audit_rules_privileged_commands -+ - audit_rules_media_export -+ - audit_rules_file_deletion_events -+ - audit_rules_sysadmin_actions -+ - audit_rules_kernel_module_loading -+ - service_abrtd_disabled -+ - service_atd_disabled -+ - service_autofs_disabled -+ - service_ntpdate_disabled -+ - service_oddjobd_disabled -+ - service_qpidd_disabled -+ - service_rdisc_disabled -+ - configure_crypto_policy -+ - configure_bind_crypto_policy -+ - configure_openssl_crypto_policy -+ - configure_libreswan_crypto_policy -+ - configure_ssh_crypto_policy -+ - configure_kerberos_crypto_policy -diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile -new file mode 100644 -index 00000000000..50548f7e8eb ---- /dev/null -+++ b/rhel9/profiles/stig.profile -@@ -0,0 +1,1069 @@ -+documentation_complete: true -+ -+metadata: -+ version: V1R2 -+ SMEs: -+ - carlosmmatos -+ -+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -+ -+title: 'DISA STIG for Red Hat Enterprise Linux 8' -+ -+description: |- -+ This profile contains configuration checks that align to the -+ DISA STIG for Red Hat Enterprise Linux 8 V1R2. -+ -+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this -+ configuration baseline as applicable to the operating system tier of -+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: -+ -+ - Red Hat Enterprise Linux Server -+ - Red Hat Enterprise Linux Workstation and Desktop -+ - Red Hat Enterprise Linux for HPC -+ - Red Hat Storage -+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image -+ -+selections: -+ ### Variables -+ - var_rekey_limit_size=1G -+ - var_rekey_limit_time=1hour -+ - var_accounts_user_umask=077 -+ - var_password_pam_difok=8 -+ - var_password_pam_maxrepeat=3 -+ - var_sshd_disable_compression=no -+ - var_password_hashing_algorithm=SHA512 -+ - var_password_pam_maxclassrepeat=4 -+ - var_password_pam_minclass=4 -+ - var_accounts_minimum_age_login_defs=1 -+ - var_accounts_max_concurrent_login_sessions=10 -+ - var_password_pam_unix_remember=5 -+ - var_selinux_state=enforcing -+ - var_selinux_policy_name=targeted -+ - var_accounts_password_minlen_login_defs=15 -+ - var_password_pam_unix_rounds=5000 -+ - var_password_pam_minlen=15 -+ - var_password_pam_ocredit=1 -+ - var_password_pam_dcredit=1 -+ - var_password_pam_ucredit=1 -+ - var_password_pam_lcredit=1 -+ - var_password_pam_retry=3 -+ - var_password_pam_minlen=15 -+ - var_sshd_set_keepalive=0 -+ - sshd_idle_timeout_value=10_minutes -+ - var_accounts_passwords_pam_faillock_deny=3 -+ - var_accounts_passwords_pam_faillock_fail_interval=900 -+ - var_accounts_passwords_pam_faillock_unlock_time=never -+ - var_ssh_client_rekey_limit_size=1G -+ - var_ssh_client_rekey_limit_time=1hour -+ - var_accounts_fail_delay=4 -+ - var_account_disable_post_pw_expiration=35 -+ - var_auditd_action_mail_acct=root -+ - var_time_service_set_maxpoll=18_hours -+ - var_accounts_maximum_age_login_defs=60 -+ - var_auditd_space_left=250MB -+ - var_auditd_space_left_action=email -+ - var_auditd_disk_error_action=halt -+ - var_auditd_max_log_file_action=syslog -+ - var_auditd_disk_full_action=halt -+ -+ ### Enable / Configure FIPS -+# - enable_fips_mode # not supported in RHEL9 ATM -+ - var_system_crypto_policy=fips -+ - configure_crypto_policy -+ - configure_bind_crypto_policy -+ - configure_libreswan_crypto_policy -+ - configure_kerberos_crypto_policy -+# - enable_dracut_fips_module # not supported in RHEL9 ATM -+ -+ ### Rules: -+ # RHEL-08-010070 -+ - installed_OS_is_vendor_supported -+ -+ # RHEL-08-010010 -+ - security_patches_up_to_date -+ -+ # RHEL-08-010020 -+ - sysctl_crypto_fips_enabled -+ -+ # RHEL-08-010030 -+ - encrypt_partitions -+ -+ # RHEL-08-010040 -+ - sshd_enable_warning_banner -+ -+ # RHEL-08-010050 -+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM -+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM -+ -+ # RHEL-08-010060 -+ - banner_etc_issue -+ -+ # RHEL-08-010070 -+ -+ # RHEL-08-010090 -+ -+ # RHEL-08-010100 -+ -+ # RHEL-08-010110 -+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM -+ -+ # RHEL-08-010120 -+ -+ # RHEL-08-010130 -+ - accounts_password_pam_unix_rounds_system_auth -+ - accounts_password_pam_unix_rounds_password_auth -+ -+ # RHEL-08-010140 -+# - grub2_uefi_password # not supported in RHEL9 ATM -+# - grub2_uefi_admin_username # not supported in RHEL9 ATM -+ -+ # RHEL-08-010150 -+ - grub2_password -+# - grub2_admin_username # not supported in RHEL9 ATM -+ -+ # RHEL-08-010151 -+ - require_singleuser_auth -+ - require_emergency_target_auth -+ -+ # RHEL-08-010152 -+ # To be released in V1R3 -+ # - require_emergency_target_auth -+ -+ # RHEL-08-010160 -+ - set_password_hashing_algorithm_systemauth -+ -+ # RHEL-08-010161 -+ - kerberos_disable_no_keytab -+ -+ # RHEL-08-010162 -+ - package_krb5-workstation_removed -+ -+ # RHEL-08-010170 -+ - selinux_state -+ -+ # RHEL-08-010171 -+ - package_policycoreutils_installed -+ -+ # RHEL-08-010180 -+ -+ # RHEL-08-010190 -+ - dir_perms_world_writable_sticky_bits -+ -+ # RHEL-08-010200 -+ - sshd_set_idle_timeout -+ -+ # RHEL-08-010210 -+ - file_permissions_var_log_messages -+ -+ # RHEL-08-010220 -+ - file_owner_var_log_messages -+ -+ # RHEL-08-010230 -+ - file_groupowner_var_log_messages -+ -+ # RHEL-08-010240 -+ - file_permissions_var_log -+ -+ # RHEL-08-010250 -+ - file_owner_var_log -+ -+ # RHEL-08-010260 -+ - file_groupowner_var_log -+ -+ # RHEL-08-010290 && RHEL-08-010291 -+ ### NOTE: This will get split out in future STIG releases, as well as we will break -+ ### these rules up to be more flexible in meeting the requirements. -+ - configure_ssh_crypto_policy -+ -+ # RHEL-08-010292 -+# - sshd_use_strong_rng # not supported in RHEL9 ATM -+ -+ # RHEL-08-010293 -+ - configure_openssl_crypto_policy -+ -+ # RHEL-08-010294 -+ - configure_openssl_tls_crypto_policy -+ -+ # RHEL-08-010295 -+# - configure_gnutls_tls_crypto_policy # not supported in RHEL9 ATM -+ -+ # RHEL-08-010300 -+ - file_permissions_binary_dirs -+ -+ # RHEL-08-010310 -+ - file_ownership_binary_dirs -+ -+ # RHEL-08-010320 -+ -+ # RHEL-08-010330 -+ - file_permissions_library_dirs -+ -+ # RHEL-08-010340 -+ - file_ownership_library_dirs -+ -+ # RHEL-08-010350 -+ -+ # RHEL-08-010360 -+ - package_aide_installed -+ - aide_scan_notification -+ -+ # RHEL-08-010370 -+ - ensure_gpgcheck_globally_activated -+ -+ # RHEL-08-010371 -+ - ensure_gpgcheck_local_packages -+ -+ # RHEL-08-010372 -+ - sysctl_kernel_kexec_load_disabled -+ -+ # RHEL-08-010373 -+ - sysctl_fs_protected_symlinks -+ -+ # RHEL-08-010374 -+ - sysctl_fs_protected_hardlinks -+ -+ # RHEL-08-010375 -+ - sysctl_kernel_dmesg_restrict -+ -+ # RHEL-08-010376 -+ - sysctl_kernel_perf_event_paranoid -+ -+ # RHEL-08-010380 -+ - sudo_remove_nopasswd -+ -+ # RHEL-08-010381 -+ - sudo_remove_no_authenticate -+ -+ # RHEL-08-010382 -+ - sudo_restrict_privilege_elevation_to_authorized -+ -+ # RHEL-08-010383 -+ - sudoers_validate_passwd -+ -+ # RHEL-08-010390 -+ - install_smartcard_packages -+ -+ # RHEL-08-010400 -+ -+ # RHEL-08-010410 -+ - package_opensc_installed -+ -+ # RHEL-08-010420 -+ -+ # RHEL-08-010421 -+ - grub2_page_poison_argument -+ -+ # RHEL-08-010422 -+ - grub2_vsyscall_argument -+ -+ # RHEL-08-010423 -+ - grub2_slub_debug_argument -+ -+ # RHEL-08-010430 -+ - sysctl_kernel_randomize_va_space -+ -+ # RHEL-08-010440 -+ - clean_components_post_updating -+ -+ # RHEL-08-010450 -+ - selinux_policytype -+ -+ # RHEL-08-010460 -+# - no_host_based_files # not supported in RHEL9 ATM -+ -+ # RHEL-08-010470 -+# - no_user_host_based_files # not supported in RHEL9 ATM -+ -+ # RHEL-08-010471 -+ - service_rngd_enabled -+ - package_rng-tools_installed -+ -+ # RHEL-08-010480 -+ - file_permissions_sshd_pub_key -+ -+ # RHEL-08-010490 -+ - file_permissions_sshd_private_key -+ -+ # RHEL-08-010500 -+ - sshd_enable_strictmodes -+ -+ # RHEL-08-010510 -+ - sshd_disable_compression -+ -+ # RHEL-08-010520 -+ - sshd_disable_user_known_hosts -+ -+ # RHEL-08-010521 -+ - sshd_disable_kerb_auth -+ - sshd_disable_gssapi_auth -+ -+ # RHEL-08-010540 -+ - partition_for_var -+ -+ # RHEL-08-010541 -+ - partition_for_var_log -+ -+ # RHEL-08-010542 -+ - partition_for_var_log_audit -+ -+ # RHEL-08-010543 -+ - partition_for_tmp -+ -+ # RHEL-08-010544 -+ ### NOTE: Will probably show up in V1R3 - Q3 of 21' -+ - partition_for_var_tmp -+ -+ # RHEL-08-010550 -+ - sshd_disable_root_login -+ -+ # RHEL-08-010560 -+ - service_auditd_enabled -+ -+ # RHEL-08-010561 -+ - service_rsyslog_enabled -+ -+ # RHEL-08-010570 -+ - mount_option_home_nosuid -+ -+ # RHEL-08-010571 -+ - mount_option_boot_nosuid -+ -+ # RHEL-08-010580 -+ - mount_option_nodev_nonroot_local_partitions -+ -+ # RHEL-08-010590 -+ -+ # RHEL-08-010600 -+ - mount_option_nodev_removable_partitions -+ -+ # RHEL-08-010610 -+ - mount_option_noexec_removable_partitions -+ -+ # RHEL-08-010620 -+ - mount_option_nosuid_removable_partitions -+ -+ # RHEL-08-010630 -+ - mount_option_noexec_remote_filesystems -+ -+ # RHEL-08-010640 -+ - mount_option_nodev_remote_filesystems -+ -+ # RHEL-08-010650 -+ - mount_option_nosuid_remote_filesystems -+ -+ # RHEL-08-010660 -+# - accounts_user_dot_no_world_writable_programs # not supported in RHEL9 ATM -+ -+ # RHEL-08-010670 -+ - service_kdump_disabled -+ -+ # RHEL-08-010671 -+ - sysctl_kernel_core_pattern -+ -+ # RHEL-08-010672 -+ - service_systemd-coredump_disabled -+ -+ # RHEL-08-010673 -+ - disable_users_coredumps -+ -+ # RHEL-08-010674 -+# - coredump_disable_storage -+ -+ # RHEL-08-010675 -+# - coredump_disable_backtraces -+ -+ # RHEL-08-010680 -+# - network_configure_name_resolution # not supported in RHEL9 ATM -+ -+ # RHEL-08-010690 -+# - accounts_user_home_paths_only # not supported in RHEL9 ATM -+ -+ # RHEL-08-010700 -+ - dir_perms_world_writable_root_owned -+ -+ # RHEL-08-010710 -+ -+ # RHEL-08-010720 -+# - accounts_user_interactive_home_directory_defined # not supported in RHEL9 ATM -+ -+ # RHEL-08-010730 -+ - file_permissions_home_directories -+ -+ # RHEL-08-010740 -+ - file_groupownership_home_directories -+ -+ # RHEL-08-010750 -+ - accounts_user_interactive_home_directory_exists -+ -+ # RHEL-08-010760 -+# - accounts_have_homedir_login_defs # not supported in RHEL9 ATM -+ -+ # RHEL-08-010770 -+ - file_permission_user_init_files -+ -+ # RHEL-08-010780 -+ - no_files_unowned_by_user -+ -+ # RHEL-08-010790 -+ - file_permissions_ungroupowned -+ -+ # RHEL-08-010800 -+ - partition_for_home -+ -+ # RHEL-08-010820 -+# - gnome_gdm_disable_automatic_login # not supported in RHEL9 ATM -+ -+ # RHEL-08-010830 -+ - sshd_do_not_permit_user_env -+ -+ # RHEL-08-020000 -+# - account_temp_expire_date # not supported in RHEL9 ATM -+ -+ # RHEL-08-020010 -+ - accounts_passwords_pam_faillock_deny -+ -+ # RHEL-08-020011 -+ -+ # RHEL-08-020012 -+ - accounts_passwords_pam_faillock_interval -+ -+ # RHEL-08-020013 -+ -+ # RHEL-08-020014 -+ - accounts_passwords_pam_faillock_unlock_time -+ -+ # RHEL-08-020015 -+ -+ # RHEL-08-020016 -+ -+ # RHEL-08-020017 -+ -+ # RHEL-08-020018 -+ -+ # RHEL-08-020019 -+ -+ # RHEL-08-020020 -+ -+ # RHEL-08-020021 -+ -+ # RHEL-08-020022 -+ - accounts_passwords_pam_faillock_deny_root -+ -+ # RHEL-08-020023 -+ -+ # RHEL-08-020024 -+ - accounts_max_concurrent_login_sessions -+ -+ # RHEL-08-020030 -+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM -+ -+ # RHEL-08-020040 -+ - package_tmux_installed -+# - configure_tmux_lock_command # not supported in RHEL9 ATM -+ -+ # RHEL-08-020041 -+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM -+ -+ # RHEL-08-020042 -+# - no_tmux_in_shells # not supported in RHEL9 ATM -+ -+ # RHEL-08-020050 -+# - dconf_gnome_lock_screen_on_smartcard_removal # not supported in RHEL9 ATM -+ -+ # RHEL-08-020060 -+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM -+ -+ # RHEL-08-020070 -+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM -+ -+ # RHEL-08-020080 -+ -+ # RHEL-08-020090 -+ -+ # RHEL-08-020100 -+ - accounts_password_pam_retry -+ -+ # RHEL-08-020110 -+ - accounts_password_pam_ucredit -+ -+ # RHEL-08-020120 -+ - accounts_password_pam_lcredit -+ -+ # RHEL-08-020130 -+ - accounts_password_pam_dcredit -+ -+ # RHEL-08-020140 -+ - accounts_password_pam_maxclassrepeat -+ -+ # RHEL-08-020150 -+ - accounts_password_pam_maxrepeat -+ -+ # RHEL-08-020160 -+ - accounts_password_pam_minclass -+ -+ # RHEL-08-020170 -+ - accounts_password_pam_difok -+ -+ # RHEL-08-020180 -+# - accounts_password_set_min_life_existing # not supported in RHEL9 ATM -+ -+ # RHEL-08-020190 -+ - accounts_minimum_age_login_defs -+ -+ # RHEL-08-020200 -+ - accounts_maximum_age_login_defs -+ -+ # RHEL-08-020210 -+# - accounts_password_set_max_life_existing # not supported in RHEL9 ATM -+ -+ # RHEL-08-020220 -+ - accounts_password_pam_unix_remember -+ -+ # RHEL-08-020230 -+ - accounts_password_pam_minlen -+ -+ # RHEL-08-020231 -+ - accounts_password_minlen_login_defs -+ -+ # RHEL-08-020240 -+ -+ # RHEL-08-020250 -+# - sssd_enable_smartcards # not supported in RHEL9 ATM -+ -+ # RHEL-08-020260 -+ - account_disable_post_pw_expiration -+ -+ # RHEL-08-020270 -+ -+ # RHEL-08-020280 -+ - accounts_password_pam_ocredit -+ -+ # RHEL-08-020290 -+# - sssd_offline_cred_expiration # not supported in RHEL9 ATM -+ -+ # RHEL-08-020300 -+ -+ # RHEL-08-020310 -+ - accounts_logon_fail_delay -+ -+ # RHEL-08-020320 -+ # - accounts_authorized_local_users -+ -+ # RHEL-08-020330 -+ - no_empty_passwords -+ - sshd_disable_empty_passwords -+ -+ # RHEL-08-020340 -+ - display_login_attempts -+ -+ # RHEL-08-020350 -+ - sshd_print_last_log -+ -+ # RHEL-08-020351 -+ - accounts_umask_etc_login_defs -+ -+ # RHEL-08-020352 -+# - accounts_umask_interactive_users # not supported in RHEL9 ATM -+ -+ # RHEL-08-020353 -+ - accounts_umask_etc_bashrc -+ -+ # RHEL-08-030000 -+# - audit_rules_suid_privilege_function # not supported in RHEL9 ATM -+ -+ # RHEL-08-030010 -+ - rsyslog_cron_logging -+ -+ # RHEL-08-030020 -+ - auditd_data_retention_action_mail_acct -+ -+ # RHEL-08-030030 -+ - postfix_client_configure_mail_alias -+ -+ # RHEL-08-030040 -+ - auditd_data_disk_error_action -+ -+ # RHEL-08-030050 -+ - auditd_data_retention_max_log_file_action -+ -+ # RHEL-08-030060 -+ - auditd_data_disk_full_action -+ -+ # RHEL-08-030061 -+ - auditd_local_events -+ -+ # RHEL-08-030062 -+ - auditd_name_format -+ -+ # RHEL-08-030063 -+ - auditd_log_format -+ -+ # RHEL-08-030070 -+ - file_permissions_var_log_audit -+ -+ # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110 -+ ### NOTE: These might get broken up, but currently the following -+ ### rule accounts for these STIG ID's -+ - file_ownership_var_log_audit -+ -+ # RHEL-08-030120 -+ - directory_permissions_var_log_audit -+ -+ # *** NOTE *** # -+ # Audit rules are currently under review as to how best to approach -+ # them. We are working with DISA and our internal audit experts to -+ # provide a final solution soon. -+ # ************ # -+ -+ # RHEL-08-030121 -+ # - audit_rules_immutable -+ -+ # RHEL-08-030122 -+ # - audit_immutable_login_uids -+ -+ # RHEL-08-030130 -+ # - audit_rules_usergroup_modification_shadow -+ -+ # RHEL-08-030140 -+ # - audit_rules_usergroup_modification_opasswd -+ -+ # RHEL-08-030150 -+ # - audit_rules_usergroup_modification_passwd -+ -+ # RHEL-08-030160 -+ # - audit_rules_usergroup_modification_gshadow -+ -+ # RHEL-08-030170 -+ # - audit_rules_usergroup_modification_group -+ -+ # RHEL-08-030171, RHEL-08-030172 -+ # - audit_rules_sysadmin_actions -+ -+ # RHEL-08-030180 -+ - package_audit_installed -+ - service_auditd_enabled -+ -+ # RHEL-08-030190 -+ # - audit_rules_privileged_commands_sudo -+ -+ # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240 -+ # - audit_perm_change_failed -+ # - audit_perm_change_success -+ -+ # RHEL-08-030250 -+ # - audit_rules_privileged_commands_chage -+ -+ # RHEL-08-030260 -+ # - audit_rules_execution_chcon -+ -+ # RHEL-08-030270 -+ # - audit_perm_change_failed -+ # - audit_perm_change_success -+ -+ # RHEL-08-030280 -+ -+ # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301 -+ # - audit_ospp_general -+ -+ # RHEL-08-030302 -+ # - audit_rules_media_export -+ -+ # RHEL-08-030310 -+ -+ # RHEL-08-030311 -+ # - audit_rules_privileged_commands_postdrop -+ -+ # RHEL-08-030312 -+ # - audit_rules_privileged_commands_postqueue -+ -+ # RHEL-08-030313 -+ # - audit_rules_execution_semanage -+ -+ # RHEL-08-030314 -+ # - audit_rules_execution_setfiles -+ -+ # RHEL-08-030315 -+ # - audit_ospp_general -+ -+ # RHEL-08-030316 -+ # - audit_rules_execution_setsebool -+ -+ # RHEL-08-030317 -+ # - audit_ospp_general -+ -+ # RHEL-08-030320 -+ # - audit_rules_privileged_commands_ssh_keysign -+ -+ # RHEL-08-030330 -+ -+ # RHEL-08-030340 -+ # - audit_rules_privileged_commands_pam_timestamp_check -+ -+ # RHEL-08-030350 -+ # - audit_ospp_general -+ -+ # RHEL-08-030360 -+ # - audit_module_load -+ -+ # RHEL-08-030361, RHEL-08-030362 -+ # - audit_delete_failed -+ # - audit_delete_success -+ -+ # RHEL-08-030363 -+ -+ # RHEL-08-030364, RHEL-08-030365 -+ # - audit_delete_failed -+ # - audit_delete_success -+ -+ # RHEL-08-030370 -+ # - audit_ospp_general -+ -+ # RHEL-08-030380, RHEL-08-030390 -+ # - audit_module_load -+ -+ # RHEL-08-030400 -+ # - audit_ospp_general -+ -+ # RHEL-08-030410 -+ # - audit_rules_privileged_commands_chsh -+ -+ # RHEL-08-030420 -+ # - audit_modify_failed -+ # - audit_modify_success -+ -+ # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450 -+ # - audit_create_failed -+ # - audit_create_success -+ # - audit_modify_failed -+ # - audit_modify_success -+ # - audit_access_failed -+ # - audit_access_success -+ -+ # RHEL-08-030460 -+ # - audit_modify_failed -+ # - audit_modify_success -+ -+ # RHEL-08-030470 -+ # - audit_create_failed -+ # - audit_create_success -+ -+ # RHEL-08-030480 -+ # - audit_owner_change_failed -+ # - audit_owner_change_success -+ -+ # RHEL-08-030490 -+ # - audit_perm_change_failed -+ # - audit_perm_change_success -+ -+ # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520 -+ # - audit_owner_change_failed -+ # - audit_owner_change_success -+ -+ # RHEL-08-030530, RHEL-08-030540 -+ # - audit_perm_change_failed -+ # - audit_perm_change_success -+ -+ # RHEL-08-030550 -+ # - audit_rules_privileged_commands_sudo -+ -+ # RHEL-08-030560 -+ -+ # RHEL-08-030570 -+ -+ # RHEL-08-030580 -+ -+ # RHEL-08-030590 -+ # - audit_rules_login_events_faillock -+ -+ # RHEL-08-030600 -+ # - audit_rules_login_events_lastlog -+ -+ # RHEL-08-030601 -+ - grub2_audit_argument -+ -+ # RHEL-08-030602 -+ - grub2_audit_backlog_limit_argument -+ -+ # RHEL-08-030603 -+ - configure_usbguard_auditbackend -+ -+ # RHEL-08-030610 -+ -+ # RHEL-08-030620 -+ -+ # RHEL-08-030630 -+ -+ # RHEL-08-030640 -+ -+ # RHEL-08-030650 -+ -+ # RHEL-08-030660 -+ -+ # RHEL-08-030670 -+ - package_rsyslog_installed -+ -+ # RHEL-08-030680 -+ - package_rsyslog-gnutls_installed -+ -+ # RHEL-08-030690 -+ - rsyslog_remote_loghost -+ -+ # RHEL-08-030700 -+ -+ # RHEL-08-030710 -+ -+ # RHEL-08-030720 -+ -+ # RHEL-08-030730 -+ # this rule expects configuration in MB instead percentage as how STIG demands -+ # - auditd_data_retention_space_left -+ - auditd_data_retention_space_left_action -+ -+ # RHEL-08-030740 -+ # remediation fails because default configuration file contains pool instead of server keyword -+# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM -+ -+ # RHEL-08-030741 -+# - chronyd_client_only # not supported in RHEL9 ATM -+ -+ # RHEL-08-030742 -+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM -+ -+ # RHEL-08-040000 -+ - package_telnet-server_removed -+ -+ # RHEL-08-040001 -+ - package_abrt_removed -+ - package_abrt-addon-ccpp_removed -+ - package_abrt-addon-kerneloops_removed -+ - package_abrt-addon-python_removed -+ - package_abrt-cli_removed -+ - package_abrt-plugin-logger_removed -+ - package_abrt-plugin-rhtsupport_removed -+ - package_abrt-plugin-sosreport_removed -+ -+ # RHEL-08-040002 -+ - package_sendmail_removed -+ -+ # RHEL-08-040003 -+ ### NOTE: Will be removed in V1R2, merged into RHEL-08-040370 -+ -+ # RHEL-08-040004 -+ - grub2_pti_argument -+ -+ # RHEL-08-040010 -+ - package_rsh-server_removed -+ -+ # RHEL-08-040020 -+ -+ # RHEL-08-040021 -+ - kernel_module_atm_disabled -+ -+ # RHEL-08-040022 -+ - kernel_module_can_disabled -+ -+ # RHEL-08-040023 -+ - kernel_module_sctp_disabled -+ -+ # RHEL-08-040024 -+ - kernel_module_tipc_disabled -+ -+ # RHEL-08-040025 -+ - kernel_module_cramfs_disabled -+ -+ # RHEL-08-040026 -+ - kernel_module_firewire-core_disabled -+ -+ # RHEL-08-040030 -+# - configure_firewalld_ports # not supported in RHEL9 ATM -+ -+ # RHEL-08-040060 -+ ### NOTE: Will be removed in V1R2 -+ -+ # RHEL-08-040070 -+ - service_autofs_disabled -+ -+ # RHEL-08-040080 -+ - kernel_module_usb-storage_disabled -+ -+ # RHEL-08-040090 -+ -+ # RHEL-08-040100 -+ - service_firewalld_enabled -+ - package_firewalld_installed -+ -+ # RHEL-08-040110 -+ - wireless_disable_interfaces -+ -+ # RHEL-08-040111 -+ - kernel_module_bluetooth_disabled -+ -+ # RHEL-08-040120 -+ - mount_option_dev_shm_nodev -+ -+ # RHEL-08-040121 -+ - mount_option_dev_shm_nosuid -+ -+ # RHEL-08-040122 -+ - mount_option_dev_shm_noexec -+ -+ # RHEL-08-040123 -+ - mount_option_tmp_nodev -+ -+ # RHEL-08-040124 -+ - mount_option_tmp_nosuid -+ -+ # RHEL-08-040125 -+ - mount_option_tmp_noexec -+ -+ # RHEL-08-040126 -+ - mount_option_var_log_nodev -+ -+ # RHEL-08-040127 -+ - mount_option_var_log_nosuid -+ -+ # RHEL-08-040128 -+ - mount_option_var_log_noexec -+ -+ # RHEL-08-040129 -+ - mount_option_var_log_audit_nodev -+ -+ # RHEL-08-040130 -+ - mount_option_var_log_audit_nosuid -+ -+ # RHEL-08-040131 -+ - mount_option_var_log_audit_noexec -+ -+ # RHEL-08-040132 -+ - mount_option_var_tmp_nodev -+ -+ # RHEL-08-040133 -+ - mount_option_var_tmp_nosuid -+ -+ # RHEL-08-040134 -+ - mount_option_var_tmp_noexec -+ -+ # RHEL-08-040135 -+ - package_fapolicyd_installed -+ - service_fapolicyd_enabled -+ -+ # RHEL-08-040140 -+ - package_usbguard_installed -+ - service_usbguard_enabled -+ -+ # RHEL-08-040150 -+ -+ # RHEL-08-040160 -+ - package_openssh-server_installed -+ - service_sshd_enabled -+ -+ # RHEL-08-040161 -+ - sshd_rekey_limit -+ -+ # RHEL-08-040162 -+# - ssh_client_rekey_limit # not supported in RHEL9 ATM -+ -+ # RHEL-08-040170 -+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM -+ -+ # RHEL-08-040171 -+# - dconf_gnome_disable_ctrlaltdel_reboot # not supported in RHEL9 ATM -+ -+ # RHEL-08-040172 -+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM -+ -+ # RHEL-08-040180 -+# - service_debug-shell_disabled # not supported in RHEL9 ATM -+ -+ # RHEL-08-040190 -+ - package_tftp-server_removed -+ -+ # RHEL-08-040200 -+ - accounts_no_uid_except_zero -+ -+ # RHEL-08-040210 -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ -+ # RHEL-08-040220 -+ - sysctl_net_ipv4_conf_all_send_redirects -+ -+ # RHEL-08-040230 -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ -+ # RHEL-08-040240 -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ -+ # RHEL-08-040250 -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ -+ # RHEL-08-040260 -+ - sysctl_net_ipv4_ip_forward -+ -+ # RHEL-08-040261 -+ - sysctl_net_ipv6_conf_all_accept_ra -+ -+ # RHEL-08-040262 -+ - sysctl_net_ipv6_conf_default_accept_ra -+ -+ # RHEL-08-040270 -+ - sysctl_net_ipv4_conf_default_send_redirects -+ -+ # RHEL-08-040280 -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ -+ # RHEL-08-040281 -+ - sysctl_kernel_unprivileged_bpf_disabled -+ -+ # RHEL-08-040282 -+ - sysctl_kernel_yama_ptrace_scope -+ -+ # RHEL-08-040283 -+ - sysctl_kernel_kptr_restrict -+ -+ # RHEL-08-040284 -+ - sysctl_user_max_user_namespaces -+ -+ # RHEL-08-040285 -+ - sysctl_net_ipv4_conf_all_rp_filter -+ -+ # RHEL-08-040290 -+ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation -+ # there needs to be a new platform check to identify when postfix is installed or not -+ # - postfix_prevent_unrestricted_relay -+ -+ # RHEL-08-040300 -+ - aide_verify_ext_attributes -+ -+ # RHEL-08-040310 -+ - aide_verify_acls -+ -+ # RHEL-08-040320 -+ - xwindows_remove_packages -+ -+ # RHEL-08-040330 -+ - network_sniffer_disabled -+ -+ # RHEL-08-040340 -+ - sshd_disable_x11_forwarding -+ -+ # RHEL-08-040341 -+# - sshd_x11_use_localhost # not supported in RHEL9 ATM -+ -+ # RHEL-08-040350 -+# - tftpd_uses_secure_mode # not supported in RHEL9 ATM -+ -+ # RHEL-08-040360 -+ - package_vsftpd_removed -+ -+ # RHEL-08-040370 -+ - package_gssproxy_removed -+ -+ # RHEL-08-040380 -+ - package_iprutils_removed -+ -+ # RHEL-08-040390 -+ - package_tuned_removed -diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile -new file mode 100644 -index 00000000000..ff9a2833df8 ---- /dev/null -+++ b/rhel9/profiles/stig_gui.profile -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+metadata: -+ version: V1R2 -+ SMEs: -+ - carlosmmatos -+ -+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -+ -+title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' -+ -+description: |- -+ This profile contains configuration checks that align to the -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. -+ -+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this -+ configuration baseline as applicable to the operating system tier of -+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: -+ -+ - Red Hat Enterprise Linux Server -+ - Red Hat Enterprise Linux Workstation and Desktop -+ - Red Hat Enterprise Linux for HPC -+ - Red Hat Storage -+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image -+ -+ Warning: The installation and use of a Graphical User Interface (GUI) -+ increases your attack vector and decreases your overall security posture. If -+ your Information Systems Security Officer (ISSO) lacks a documented operational -+ requirement for a graphical user interface, please consider using the -+ standard DISA STIG for Red Hat Enterprise Linux 8 profile. -+ -+extends: stig -+ -+selections: -+ # RHEL-08-040320 -+ - '!xwindows_remove_packages' - -From 5c5a4500a92ebd32078cf05b2b3eb24a9f58f285 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 10 Jun 2021 19:48:13 +0200 -Subject: [PATCH 2/4] Added note that the profile is a RHEL9 draft. - ---- - rhel9/profiles/cis.profile | 10 +++------- - rhel9/profiles/cjis.profile | 2 +- - rhel9/profiles/e8.profile | 4 ++-- - rhel9/profiles/hipaa.profile | 4 ++-- - rhel9/profiles/ism_o.profile | 4 ++-- - rhel9/profiles/ospp.profile | 2 +- - rhel9/profiles/pci-dss.profile | 2 +- - rhel9/profiles/rht-ccp.profile | 4 ++-- - rhel9/profiles/standard.profile | 2 +- - rhel9/profiles/stig.profile | 7 +++---- - rhel9/profiles/stig_gui.profile | 13 ++++++------- - 11 files changed, 24 insertions(+), 30 deletions(-) - -diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile -index 8939011ad1f..7cc538f82ce 100644 ---- a/rhel9/profiles/cis.profile -+++ b/rhel9/profiles/cis.profile -@@ -1,21 +1,17 @@ - documentation_complete: true - - metadata: -- version: 1.0.0 -+ version: 0.0.0 - SMEs: - - vojtapolasek - - yuumasato - - reference: https://www.cisecurity.org/benchmark/red_hat_linux/ - --title: 'CIS Red Hat Enterprise Linux 8 Benchmark' -+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark' - - description: |- -- This profile defines a baseline that aligns to the Center for Internet Security® -- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. -- -- This profile includes Center for Internet Security® -- Red Hat Enterprise Linux 8 CIS Benchmarks™ content. -+ This is a draft CIS profile based on the RHEL8 CIS - - selections: - # Necessary for dconf rules -diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile -index 1fc531952b6..3c9c385cd48 100644 ---- a/rhel9/profiles/cjis.profile -+++ b/rhel9/profiles/cjis.profile -@@ -7,7 +7,7 @@ metadata: - - reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - --title: 'Criminal Justice Information Services (CJIS) Security Policy' -+title: '[RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security Policy' - - description: |- - This profile is derived from FBI's CJIS v5.4 -diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile -index 30eb9c594ac..6d87a778eee 100644 ---- a/rhel9/profiles/e8.profile -+++ b/rhel9/profiles/e8.profile -@@ -6,10 +6,10 @@ metadata: - - reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers - --title: 'Australian Cyber Security Centre (ACSC) Essential Eight' -+title: '[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight' - - description: |- -- This profile contains configuration checks for Red Hat Enterprise Linux 8 -+ This profile contains configuration checks for Red Hat Enterprise Linux 9 - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - - A copy of the Essential Eight in Linux Environments guide can be found at the -diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile -index 7919649d4d5..1bd7cc10459 100644 ---- a/rhel9/profiles/hipaa.profile -+++ b/rhel9/profiles/hipaa.profile -@@ -7,7 +7,7 @@ metadata: - - reference: https://www.hhs.gov/hipaa/for-professionals/index.html - --title: 'Health Insurance Portability and Accountability Act (HIPAA)' -+title: '[RHEL9 DRAFT] Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ -@@ -17,7 +17,7 @@ description: |- - confidentiality, integrity, and security of electronic protected health - information. - -- This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security -+ This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security - Rule identified for securing of electronic protected health information. - Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - -diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile -index 592be03783f..3a884f8371d 100644 ---- a/rhel9/profiles/ism_o.profile -+++ b/rhel9/profiles/ism_o.profile -@@ -8,10 +8,10 @@ metadata: - - reference: https://www.cyber.gov.au/ism - --title: 'Australian Cyber Security Centre (ACSC) ISM Official' -+title: '[RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official' - - description: |- -- This profile contains configuration checks for Red Hat Enterprise Linux 8 -+ This profile contains configuration checks for Red Hat Enterprise Linux 9 - that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) - with the applicability marking of OFFICIAL. - -diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile -index c4a43dc5eb6..84d23fe8ff5 100644 ---- a/rhel9/profiles/ospp.profile -+++ b/rhel9/profiles/ospp.profile -@@ -9,7 +9,7 @@ metadata: - - reference: https://www.niap-ccevs.org/Profile/PP.cfm - --title: 'Protection Profile for General Purpose Operating Systems' -+title: '[RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems' - - description: |- - This profile reflects mandatory configuration controls identified in the -diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile -index 966b2d5e1d8..6b00be5f76a 100644 ---- a/rhel9/profiles/pci-dss.profile -+++ b/rhel9/profiles/pci-dss.profile -@@ -6,7 +6,7 @@ metadata: - - reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - --title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' -+title: '[RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9' - - description: |- - Ensures PCI-DSS v3.2.1 security configuration settings are applied. -diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile -index 3b734c2b2c5..34244db3f3d 100644 ---- a/rhel9/profiles/rht-ccp.profile -+++ b/rhel9/profiles/rht-ccp.profile -@@ -1,11 +1,11 @@ - documentation_complete: true - --title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' -+title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - - description: |- - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for -- Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified -+ Red Hat Enterprise Linux 9 instances deployed by Red Hat Certified - Cloud Providers. - - selections: -diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile -index a63ae2cf328..921e30749d6 100644 ---- a/rhel9/profiles/standard.profile -+++ b/rhel9/profiles/standard.profile -@@ -1,6 +1,6 @@ - documentation_complete: true - --title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -+title: 'Standard System Security Profile for Red Hat Enterprise Linux 9' - - description: |- - This profile contains rules to ensure standard security baseline -diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile -index 50548f7e8eb..1baafe6f751 100644 ---- a/rhel9/profiles/stig.profile -+++ b/rhel9/profiles/stig.profile -@@ -1,17 +1,16 @@ - documentation_complete: true - - metadata: -- version: V1R2 -+ version: NA - SMEs: - - carlosmmatos - - reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - --title: 'DISA STIG for Red Hat Enterprise Linux 8' -+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 9' - - description: |- -- This profile contains configuration checks that align to the -- DISA STIG for Red Hat Enterprise Linux 8 V1R2. -+ This profile contains configuration checks that are based on the RHEL8 STIG - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile -index ff9a2833df8..da26c9f1b89 100644 ---- a/rhel9/profiles/stig_gui.profile -+++ b/rhel9/profiles/stig_gui.profile -@@ -1,19 +1,18 @@ - documentation_complete: true - - metadata: -- version: V1R2 -+ version: NA - SMEs: - - carlosmmatos - - reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - --title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' -+title: '[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9' - - description: |- -- This profile contains configuration checks that align to the -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. -+ This profile contains configuration checks that are based on the RHEL8 STIG - -- In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this -+ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this - configuration baseline as applicable to the operating system tier of - Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - -@@ -21,13 +20,13 @@ description: |- - - Red Hat Enterprise Linux Workstation and Desktop - - Red Hat Enterprise Linux for HPC - - Red Hat Storage -- - Red Hat Containers with a Red Hat Enterprise Linux 8 image -+ - Red Hat Containers with a Red Hat Enterprise Linux 9 image - - Warning: The installation and use of a Graphical User Interface (GUI) - increases your attack vector and decreases your overall security posture. If - your Information Systems Security Officer (ISSO) lacks a documented operational - requirement for a graphical user interface, please consider using the -- standard DISA STIG for Red Hat Enterprise Linux 8 profile. -+ standard DISA STIG for Red Hat Enterprise Linux 9 profile. - - extends: stig - - -From f27a9195b81f017f25f95eec50ec19114b0ea406 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 16 Jun 2021 12:04:53 +0200 -Subject: [PATCH 3/4] Added RHEL9 CCEs. - -Some of the available CCEs were actually taken, so the amount of removed CCEs is greater -than the number of rules that got a CCE. -Sometimes PRs introduce CCE inconsistencies: https://github.com/ComplianceAsCode/content/pull/6579 ---- - .../service_avahi-daemon_disabled/rule.yml | 1 + - .../base/package_abrt_removed/rule.yml | 1 + - .../base/service_abrtd_disabled/rule.yml | 1 + - .../base/service_kdump_disabled/rule.yml | 1 + - .../base/service_ntpdate_disabled/rule.yml | 1 + - .../base/service_oddjobd_disabled/rule.yml | 1 + - .../base/service_qpidd_disabled/rule.yml | 1 + - .../base/service_rdisc_disabled/rule.yml | 1 + - .../base/service_rhnsd_disabled/rule.yml | 1 + - .../file_groupowner_cron_d/rule.yml | 1 + - .../file_groupowner_cron_daily/rule.yml | 1 + - .../file_groupowner_cron_hourly/rule.yml | 1 + - .../file_groupowner_cron_monthly/rule.yml | 1 + - .../file_groupowner_cron_weekly/rule.yml | 1 + - .../file_groupowner_crontab/rule.yml | 1 + - .../cron_and_at/file_owner_cron_d/rule.yml | 1 + - .../file_owner_cron_daily/rule.yml | 1 + - .../file_owner_cron_hourly/rule.yml | 1 + - .../file_owner_cron_monthly/rule.yml | 1 + - .../file_owner_cron_weekly/rule.yml | 1 + - .../cron_and_at/file_owner_crontab/rule.yml | 1 + - .../file_permissions_cron_d/rule.yml | 1 + - .../file_permissions_cron_daily/rule.yml | 1 + - .../file_permissions_cron_hourly/rule.yml | 1 + - .../file_permissions_cron_monthly/rule.yml | 1 + - .../file_permissions_cron_weekly/rule.yml | 1 + - .../file_permissions_crontab/rule.yml | 1 + - .../cron_and_at/service_atd_disabled/rule.yml | 1 + - .../service_crond_enabled/rule.yml | 1 + - .../package_dhcp_removed/rule.yml | 1 + - .../service_dhcpd_disabled/rule.yml | 1 + - .../service_named_disabled/rule.yml | 1 + - .../package_fapolicyd_installed/rule.yml | 1 + - .../service_fapolicyd_enabled/rule.yml | 1 + - .../package_vsftpd_removed/rule.yml | 1 + - .../service_vsftpd_disabled/rule.yml | 1 + - .../service_httpd_disabled/rule.yml | 1 + - .../service_dovecot_disabled/rule.yml | 1 + - .../kerberos_disable_no_keytab/rule.yml | 1 + - .../package_openldap-clients_removed/rule.yml | 1 + - .../mail/package_sendmail_removed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../service_rpcbind_disabled/rule.yml | 1 + - .../service_nfs_disabled/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../package_nfs-utils_removed/rule.yml | 1 + - .../ntp/chronyd_run_as_chrony_user/rule.yml | 1 + - .../chronyd_specify_remote_server/rule.yml | 1 + - .../ntp/package_chrony_installed/rule.yml | 1 + - .../ntp/service_chronyd_enabled/rule.yml | 1 + - .../package_xinetd_removed/rule.yml | 1 + - .../service_xinetd_disabled/rule.yml | 1 + - .../nis/package_ypbind_removed/rule.yml | 1 + - .../nis/package_ypserv_removed/rule.yml | 1 + - .../r_services/no_rsh_trust_files/rule.yml | 1 + - .../package_rsh-server_removed/rule.yml | 1 + - .../r_services/package_rsh_removed/rule.yml | 1 + - .../obsolete/service_rsyncd_disabled/rule.yml | 1 + - .../talk/package_talk-server_removed/rule.yml | 1 + - .../talk/package_talk_removed/rule.yml | 1 + - .../package_telnet-server_removed/rule.yml | 1 + - .../telnet/package_telnet_removed/rule.yml | 1 + - .../telnet/service_telnet_disabled/rule.yml | 1 + - .../tftp/package_tftp-server_removed/rule.yml | 1 + - .../printing/service_cups_disabled/rule.yml | 1 + - .../package_squid_removed/rule.yml | 1 + - .../service_squid_disabled/rule.yml | 1 + - .../rng/service_rngd_enabled/rule.yml | 1 + - .../package_quagga_removed/rule.yml | 1 + - .../service_zebra_disabled/rule.yml | 1 + - .../service_smb_disabled/rule.yml | 1 + - .../service_snmpd_disabled/rule.yml | 1 + - .../ssh/file_groupowner_sshd_config/rule.yml | 1 + - .../ssh/file_owner_sshd_config/rule.yml | 1 + - .../ssh/file_permissions_sshd_config/rule.yml | 1 + - .../rule.yml | 1 + - .../file_permissions_sshd_pub_key/rule.yml | 1 + - .../rule.yml | 1 + - .../package_openssh-server_installed/rule.yml | 1 + - .../ssh/service_sshd_enabled/rule.yml | 1 + - .../ssh/ssh_server/disable_host_auth/rule.yml | 1 + - .../sshd_allow_only_protocol2/rule.yml | 1 + - .../sshd_disable_compression/rule.yml | 1 + - .../sshd_disable_empty_passwords/rule.yml | 1 + - .../sshd_disable_gssapi_auth/rule.yml | 1 + - .../sshd_disable_kerb_auth/rule.yml | 1 + - .../ssh_server/sshd_disable_rhosts/rule.yml | 1 + - .../sshd_disable_root_login/rule.yml | 1 + - .../sshd_disable_tcp_forwarding/rule.yml | 1 + - .../sshd_disable_user_known_hosts/rule.yml | 1 + - .../sshd_disable_x11_forwarding/rule.yml | 1 + - .../sshd_do_not_permit_user_env/rule.yml | 1 + - .../sshd_enable_strictmodes/rule.yml | 1 + - .../sshd_enable_warning_banner/rule.yml | 1 + - .../ssh_server/sshd_print_last_log/rule.yml | 1 + - .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 + - .../ssh_server/sshd_set_idle_timeout/rule.yml | 1 + - .../ssh_server/sshd_set_keepalive/rule.yml | 1 + - .../sshd_set_loglevel_info/rule.yml | 1 + - .../sshd_set_max_auth_tries/rule.yml | 1 + - .../ssh_server/sshd_set_max_sessions/rule.yml | 1 + - .../configure_usbguard_auditbackend/rule.yml | 1 + - .../package_usbguard_installed/rule.yml | 1 + - .../service_usbguard_enabled/rule.yml | 1 + - .../usbguard_allow_hid_and_hub/rule.yml | 1 + - .../rule.yml | 1 + - .../xwindows_remove_packages/rule.yml | 1 + - .../xwindows_runlevel_target/rule.yml | 1 + - .../banner_etc_issue/rule.yml | 1 + - .../accounts-banners/banner_etc_motd/rule.yml | 1 + - .../file_permissions_etc_issue/rule.yml | 1 + - .../file_permissions_etc_motd/rule.yml | 1 + - .../display_login_attempts/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../accounts_password_pam_dcredit/rule.yml | 1 + - .../accounts_password_pam_difok/rule.yml | 1 + - .../accounts_password_pam_lcredit/rule.yml | 1 + - .../rule.yml | 1 + - .../accounts_password_pam_maxrepeat/rule.yml | 1 + - .../accounts_password_pam_minclass/rule.yml | 1 + - .../accounts_password_pam_minlen/rule.yml | 1 + - .../accounts_password_pam_ocredit/rule.yml | 1 + - .../accounts_password_pam_retry/rule.yml | 1 + - .../accounts_password_pam_ucredit/rule.yml | 1 + - .../rule.yml | 1 + - .../require_emergency_target_auth/rule.yml | 1 + - .../require_singleuser_auth/rule.yml | 1 + - .../package_tmux_installed/rule.yml | 1 + - .../install_smartcard_packages/rule.yml | 1 + - .../package_opensc_installed/rule.yml | 1 + - .../rule.yml | 1 + - .../account_unique_name/rule.yml | 1 + - .../accounts_maximum_age_login_defs/rule.yml | 1 + - .../accounts_minimum_age_login_defs/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../accounts_password_all_shadowed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../gid_passwd_group_same/rule.yml | 1 + - .../no_empty_passwords/rule.yml | 1 + - .../no_legacy_plus_entries_etc_group/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../password_storage/no_netrc_files/rule.yml | 1 + - .../accounts_no_uid_except_zero/rule.yml | 1 + - .../no_direct_root_logins/rule.yml | 1 + - .../no_shelllogin_for_systemaccounts/rule.yml | 1 + - .../restrict_serial_port_logins/rule.yml | 1 + - .../rule.yml | 1 + - .../accounts_logon_fail_delay/rule.yml | 1 + - .../rule.yml | 1 + - .../accounts_polyinstantiated_tmp/rule.yml | 1 + - .../rule.yml | 1 + - .../accounts-session/accounts_tmout/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../file_permission_user_init_files/rule.yml | 1 + - .../rule.yml | 1 + - .../file_permissions_home_dirs/rule.yml | 1 + - .../accounts_root_path_dirs_no_write/rule.yml | 1 + - .../accounts_umask_etc_bashrc/rule.yml | 1 + - .../accounts_umask_etc_login_defs/rule.yml | 1 + - .../accounts_umask_etc_profile/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_execution_chcon/rule.yml | 1 + - .../audit_rules_execution_restorecon/rule.yml | 1 + - .../audit_rules_execution_semanage/rule.yml | 1 + - .../audit_rules_execution_setfiles/rule.yml | 1 + - .../audit_rules_execution_setsebool/rule.yml | 1 + - .../audit_rules_execution_seunshare/rule.yml | 1 + - .../audit_rules_file_deletion_events/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_login_events/rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_login_events_lastlog/rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_privileged_commands/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_immutable/rule.yml | 1 + - .../audit_rules_mac_modification/rule.yml | 1 + - .../audit_rules_media_export/rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_session_events/rule.yml | 1 + - .../audit_rules_sysadmin_actions/rule.yml | 1 + - .../audit_rules_system_shutdown/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../audit_rules_time_adjtimex/rule.yml | 1 + - .../audit_rules_time_clock_settime/rule.yml | 1 + - .../audit_rules_time_settimeofday/rule.yml | 1 + - .../audit_rules_time_stime/rule.yml | 1 + - .../audit_rules_time_watch_localtime/rule.yml | 1 + - .../rule.yml | 1 + - .../file_ownership_var_log_audit/rule.yml | 1 + - .../file_permissions_var_log_audit/rule.yml | 1 + - .../rule.yml | 1 + - .../auditd_data_disk_error_action/rule.yml | 1 + - .../auditd_data_disk_full_action/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../auditd_data_retention_flush/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../auditd_data_retention_num_logs/rule.yml | 1 + - .../rule.yml | 1 + - .../auditd_freq/rule.yml | 1 + - .../auditd_local_events/rule.yml | 1 + - .../auditd_log_format/rule.yml | 1 + - .../auditd_name_format/rule.yml | 1 + - .../auditd_write_logs/rule.yml | 1 + - .../auditing/grub2_audit_argument/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../auditing/package_audit_installed/rule.yml | 1 + - .../policy_rules/audit_access_failed/rule.yml | 1 + - .../audit_access_success/rule.yml | 1 + - .../audit_basic_configuration/rule.yml | 1 + - .../policy_rules/audit_create_failed/rule.yml | 1 + - .../audit_create_success/rule.yml | 1 + - .../policy_rules/audit_delete_failed/rule.yml | 1 + - .../audit_delete_success/rule.yml | 1 + - .../audit_immutable_login_uids/rule.yml | 1 + - .../policy_rules/audit_modify_failed/rule.yml | 1 + - .../audit_modify_success/rule.yml | 1 + - .../policy_rules/audit_module_load/rule.yml | 1 + - .../policy_rules/audit_ospp_general/rule.yml | 1 + - .../audit_owner_change_failed/rule.yml | 1 + - .../audit_owner_change_success/rule.yml | 1 + - .../audit_perm_change_failed/rule.yml | 1 + - .../audit_perm_change_success/rule.yml | 1 + - .../auditing/service_auditd_enabled/rule.yml | 1 + - .../grub2_enable_iommu_force/rule.yml | 1 + - .../grub2_kernel_trust_cpu_rng/rule.yml | 1 + - .../grub2_pti_argument/rule.yml | 1 + - .../grub2_vsyscall_argument/rule.yml | 1 + - .../file_groupowner_grub2_cfg/rule.yml | 1 + - .../non-uefi/file_owner_grub2_cfg/rule.yml | 1 + - .../file_permissions_grub2_cfg/rule.yml | 1 + - .../non-uefi/grub2_password/rule.yml | 1 + - .../zipl_audit_argument/rule.yml | 1 + - .../rule.yml | 1 + - .../zipl_bls_entries_only/rule.yml | 1 + - .../zipl_bootmap_is_up_to_date/rule.yml | 1 + - .../zipl_page_poison_argument/rule.yml | 1 + - .../zipl_slub_debug_argument/rule.yml | 1 + - .../zipl_vsyscall_argument/rule.yml | 1 + - .../rsyslog_cron_logging/rule.yml | 1 + - .../ensure_logrotate_activated/rule.yml | 1 + - .../package_rsyslog-gnutls_installed/rule.yml | 1 + - .../rsyslog_nolisten/rule.yml | 1 + - .../rsyslog_remote_loghost/rule.yml | 1 + - .../rsyslog_remote_tls/rule.yml | 1 + - .../rsyslog_remote_tls_cacert/rule.yml | 1 + - .../logging/service_rsyslog_enabled/rule.yml | 1 + - .../package_firewalld_installed/rule.yml | 1 + - .../service_firewalld_enabled/rule.yml | 1 + - .../set_firewalld_default_zone/rule.yml | 1 + - .../package_libreswan_installed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_net_ipv4_tcp_rfc1337/rule.yml | 1 + - .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_net_ipv4_ip_forward/rule.yml | 1 + - .../kernel_module_atm_disabled/rule.yml | 1 + - .../kernel_module_can_disabled/rule.yml | 1 + - .../kernel_module_dccp_disabled/rule.yml | 1 + - .../rule.yml | 1 + - .../kernel_module_rds_disabled/rule.yml | 1 + - .../kernel_module_sctp_disabled/rule.yml | 1 + - .../kernel_module_tipc_disabled/rule.yml | 1 + - .../kernel_module_bluetooth_disabled/rule.yml | 1 + - .../wireless_disable_interfaces/rule.yml | 1 + - .../network/network_sniffer_disabled/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../file_permissions_ungroupowned/rule.yml | 1 + - .../files/no_files_unowned_by_user/rule.yml | 1 + - .../file_groupowner_backup_etc_group/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../file_groupowner_etc_group/rule.yml | 1 + - .../file_groupowner_etc_gshadow/rule.yml | 1 + - .../file_groupowner_etc_passwd/rule.yml | 1 + - .../file_groupowner_etc_shadow/rule.yml | 1 + - .../file_owner_backup_etc_group/rule.yml | 1 + - .../file_owner_backup_etc_gshadow/rule.yml | 1 + - .../file_owner_backup_etc_passwd/rule.yml | 1 + - .../file_owner_backup_etc_shadow/rule.yml | 1 + - .../file_owner_etc_group/rule.yml | 1 + - .../file_owner_etc_gshadow/rule.yml | 1 + - .../file_owner_etc_passwd/rule.yml | 1 + - .../file_owner_etc_shadow/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../file_permissions_etc_group/rule.yml | 1 + - .../file_permissions_etc_gshadow/rule.yml | 1 + - .../file_permissions_etc_passwd/rule.yml | 1 + - .../file_permissions_etc_shadow/rule.yml | 1 + - .../file_groupowner_var_log/rule.yml | 1 + - .../file_groupowner_var_log_messages/rule.yml | 1 + - .../file_owner_var_log/rule.yml | 1 + - .../file_owner_var_log_messages/rule.yml | 1 + - .../file_permissions_var_log/rule.yml | 1 + - .../rule.yml | 1 + - .../file_ownership_binary_dirs/rule.yml | 1 + - .../file_ownership_library_dirs/rule.yml | 1 + - .../file_permissions_binary_dirs/rule.yml | 1 + - .../file_permissions_library_dirs/rule.yml | 1 + - .../sysctl_fs_protected_hardlinks/rule.yml | 1 + - .../sysctl_fs_protected_symlinks/rule.yml | 1 + - .../kernel_module_cramfs_disabled/rule.yml | 1 + - .../kernel_module_squashfs_disabled/rule.yml | 1 + - .../kernel_module_udf_disabled/rule.yml | 1 + - .../rule.yml | 1 + - .../mounting/service_autofs_disabled/rule.yml | 1 + - .../mount_option_boot_nodev/rule.yml | 1 + - .../mount_option_boot_noexec/rule.yml | 1 + - .../mount_option_boot_nosuid/rule.yml | 1 + - .../mount_option_dev_shm_nodev/rule.yml | 1 + - .../mount_option_dev_shm_noexec/rule.yml | 1 + - .../mount_option_dev_shm_nosuid/rule.yml | 1 + - .../mount_option_home_nodev/rule.yml | 1 + - .../mount_option_home_noexec/rule.yml | 1 + - .../mount_option_home_nosuid/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../mount_option_opt_nosuid/rule.yml | 1 + - .../mount_option_srv_nosuid/rule.yml | 1 + - .../mount_option_tmp_nodev/rule.yml | 1 + - .../mount_option_tmp_noexec/rule.yml | 1 + - .../mount_option_tmp_nosuid/rule.yml | 1 + - .../mount_option_var_log_audit_nodev/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../mount_option_var_log_nodev/rule.yml | 1 + - .../mount_option_var_log_noexec/rule.yml | 1 + - .../mount_option_var_log_nosuid/rule.yml | 1 + - .../mount_option_var_nodev/rule.yml | 1 + - .../mount_option_var_noexec/rule.yml | 1 + - .../mount_option_var_nosuid/rule.yml | 1 + - .../mount_option_var_tmp_nodev/rule.yml | 1 + - .../mount_option_var_tmp_noexec/rule.yml | 1 + - .../mount_option_var_tmp_nosuid/rule.yml | 1 + - .../disable_users_coredumps/rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_fs_suid_dumpable/rule.yml | 1 + - .../sysctl_kernel_exec_shield/rule.yml | 1 + - .../sysctl_kernel_kptr_restrict/rule.yml | 1 + - .../sysctl_kernel_randomize_va_space/rule.yml | 1 + - .../grub2_page_poison_argument/rule.yml | 1 + - .../grub2_slub_debug_argument/rule.yml | 1 + - .../sysctl_kernel_core_pattern/rule.yml | 1 + - .../sysctl_kernel_dmesg_restrict/rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_kernel_modules_disabled/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_kernel_pid_max/rule.yml | 1 + - .../restrictions/sysctl_kernel_sysrq/rule.yml | 1 + - .../rule.yml | 1 + - .../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + - .../sysctl_net_core_bpf_jit_harden/rule.yml | 1 + - .../sysctl_user_max_user_namespaces/rule.yml | 1 + - .../sysctl_vm_mmap_min_addr/rule.yml | 1 + - .../selinux/grub2_enable_selinux/rule.yml | 1 + - .../package_libselinux_installed/rule.yml | 1 + - .../selinux/package_mcstrans_removed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../package_setroubleshoot_removed/rule.yml | 1 + - .../sebool_auditadm_exec_content/rule.yml | 1 + - .../sebool_deny_execmem/rule.yml | 1 + - .../sebool_polyinstantiation_enabled/rule.yml | 1 + - .../sebool_secure_mode_insmod/rule.yml | 1 + - .../sebool_selinuxuser_execheap/rule.yml | 1 + - .../sebool_selinuxuser_execmod/rule.yml | 1 + - .../sebool_selinuxuser_execstack/rule.yml | 1 + - .../sebool_ssh_sysadm_login/rule.yml | 1 + - .../selinux_confinement_of_daemons/rule.yml | 1 + - .../selinux/selinux_policytype/rule.yml | 1 + - .../system/selinux/selinux_state/rule.yml | 1 + - .../encrypt_partitions/rule.yml | 1 + - .../partition_for_home/rule.yml | 1 + - .../partition_for_srv/rule.yml | 1 + - .../partition_for_tmp/rule.yml | 1 + - .../partition_for_var/rule.yml | 1 + - .../partition_for_var_log/rule.yml | 1 + - .../partition_for_var_log_audit/rule.yml | 1 + - .../partition_for_var_tmp/rule.yml | 1 + - .../gnome/package_gdm_removed/rule.yml | 1 + - .../installed_OS_is_vendor_supported/rule.yml | 1 + - .../configure_bind_crypto_policy/rule.yml | 1 + - .../crypto/configure_crypto_policy/rule.yml | 1 + - .../configure_kerberos_crypto_policy/rule.yml | 1 + - .../rule.yml | 1 + - .../configure_openssl_crypto_policy/rule.yml | 1 + - .../rule.yml | 1 + - .../configure_ssh_crypto_policy/rule.yml | 1 + - .../rule.yml | 1 + - .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + - .../aide/aide_build_database/rule.yml | 1 + - .../aide/aide_periodic_cron_checking/rule.yml | 1 + - .../aide/aide_scan_notification/rule.yml | 1 + - .../aide/aide_verify_acls/rule.yml | 1 + - .../aide/aide_verify_ext_attributes/rule.yml | 1 + - .../aide/package_aide_installed/rule.yml | 1 + - .../rpm_verify_hashes/rule.yml | 1 + - .../rpm_verify_ownership/rule.yml | 1 + - .../rpm_verify_permissions/rule.yml | 1 + - .../system/software/prefer_64bit_os/rule.yml | 1 + - .../sudo/package_sudo_installed/rule.yml | 1 + - .../software/sudo/sudo_add_noexec/rule.yml | 1 + - .../sudo/sudo_add_requiretty/rule.yml | 1 + - .../software/sudo/sudo_add_use_pty/rule.yml | 1 + - .../sudo/sudo_custom_logfile/rule.yml | 1 + - .../sudo/sudo_remove_no_authenticate/rule.yml | 1 + - .../sudo/sudo_remove_nopasswd/rule.yml | 1 + - .../sudo/sudo_require_authentication/rule.yml | 1 + - .../rule.yml | 1 + - .../software/sudo/sudo_vdsm_nopasswd/rule.yml | 1 + - .../sudoers_explicit_command_args/rule.yml | 5 +- - .../sudo/sudoers_no_command_negation/rule.yml | 5 +- - .../sudo/sudoers_no_root_target/rule.yml | 5 +- - .../sudo/sudoers_validate_passwd/rule.yml | 1 + - .../package_abrt-addon-ccpp_removed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../package_abrt-cli_removed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../package_gnutls-utils_installed/rule.yml | 1 + - .../package_gssproxy_removed/rule.yml | 1 + - .../package_iprutils_removed/rule.yml | 1 + - .../package_krb5-workstation_removed/rule.yml | 1 + - .../rule.yml | 1 + - .../package_rear_installed/rule.yml | 1 + - .../package_rng-tools_installed/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../package_tuned_removed/rule.yml | 1 + - .../clean_components_post_updating/rule.yml | 1 + - .../dnf-automatic_apply_updates/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../ensure_gpgcheck_local_packages/rule.yml | 1 + - .../ensure_gpgcheck_never_disabled/rule.yml | 1 + - .../package_dnf-automatic_installed/rule.yml | 1 + - .../timer_dnf-automatic_enabled/rule.yml | 1 + - 549 files changed, 554 insertions(+), 577 deletions(-) - -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index 86fabb43744..8ad5ad300aa 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80338-7 - cce@rhel8: CCE-82188-4 -+ cce@rhel9: CCE-90824-4 - - references: - cis@rhel7: 2.2.3 -diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml -index 53b633c1f32..d1f2c060751 100644 ---- a/linux_os/guide/services/base/package_abrt_removed/rule.yml -+++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81040-8 - cce@rhel8: CCE-80948-3 -+ cce@rhel9: CCE-84228-6 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -index cacd7eeb3a7..73b3fad1446 100644 ---- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82027-4 - cce@rhel8: CCE-80870-9 -+ cce@rhel9: CCE-84234-4 - - references: - nist: CM-7(a),CM-6(a) -diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -index 1bb014b5993..5129bcd31e7 100644 ---- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80258-7 - cce@rhel8: CCE-80878-2 -+ cce@rhel9: CCE-84232-8 - cce@sle12: CCE-83105-7 - cce@sle15: CCE-85638-5 - -diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -index 8dfbcf5faab..7c1ae86f5fe 100644 ---- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -@@ -23,6 +23,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80262-9 - cce@rhel8: CCE-80879-0 -+ cce@rhel9: CCE-84236-9 - - references: - disa: CCI-000382 -diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -index 64aa1c45f9e..dbe4b22a809 100644 ---- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80263-7 - cce@rhel8: CCE-80880-8 -+ cce@rhel9: CCE-84229-4 - - references: - disa: CCI-000381 -diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -index badee1af18e..be12fd102a1 100644 ---- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -@@ -24,6 +24,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80266-0 - cce@rhel8: CCE-80882-4 -+ cce@rhel9: CCE-84231-0 - - references: - disa: CCI-000382 -diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -index 772f8c37e68..3cae11fd233 100644 ---- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80268-6 - cce@rhel8: CCE-80883-2 -+ cce@rhel9: CCE-84237-7 - - references: - disa: CCI-000382 -diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -index ba3b04d8811..35290e39084 100644 ---- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80269-4 - cce@rhel8: CCE-82405-2 -+ cce@rhel9: CCE-84235-1 - - references: - cis@rhel7: 1.2.5 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index bcf17d8d1ba..63741db4654 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82265-0 - cce@rhel8: CCE-82268-4 -+ cce@rhel9: CCE-84177-5 - - references: - cis@rhel7: 5.1.7 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 3731bcff80a..2bbef88897c 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82232-0 - cce@rhel8: CCE-82234-6 -+ cce@rhel9: CCE-84170-0 - - references: - cis@rhel7: 5.1.4 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index f6be1d8e385..c1d873c80b4 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82226-2 - cce@rhel8: CCE-82227-0 -+ cce@rhel9: CCE-84186-6 - - references: - cis@rhel7: 5.1.3 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index 823bf13d3a8..5f98988f1d3 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82255-1 - cce@rhel8: CCE-82256-9 -+ cce@rhel9: CCE-84189-0 - - references: - cis@rhel7: 5.1.6 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index edeef8ff378..e6876272e08 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82242-9 - cce@rhel8: CCE-82244-5 -+ cce@rhel9: CCE-84174-2 - - references: - cis@rhel7: 5.1.5 -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 8c4027198e3..6556e3f8d23 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82222-1 - cce@rhel8: CCE-82223-9 -+ cce@rhel9: CCE-84171-8 - - references: - cis@rhel7: 5.1.2 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index 29df5f3a977..2e95b3569da 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82270-0 - cce@rhel8: CCE-82272-6 -+ cce@rhel9: CCE-84169-2 - - references: - cis@rhel7: 5.1.7 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index f7e7811c8b1..41b87b5c458 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82236-1 - cce@rhel8: CCE-82237-9 -+ cce@rhel9: CCE-84188-2 - - references: - cis@rhel7: 5.1.4 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index 04041e13dfe..97ecab21d35 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82208-0 - cce@rhel8: CCE-82209-8 -+ cce@rhel9: CCE-84168-4 - - references: - cis@rhel7: 5.1.3 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index 46757a03195..b607f980e6e 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82259-3 - cce@rhel8: CCE-82260-1 -+ cce@rhel9: CCE-84179-1 - - references: - cis@rhel7: 5.1.6 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index 48f897e4339..3c0d65d9349 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82246-0 - cce@rhel8: CCE-82247-8 -+ cce@rhel9: CCE-84190-8 - - references: - cis@rhel7: 5.1.5 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index 738d9820b7f..ff0493c9d22 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82217-1 - cce@rhel8: CCE-82224-7 -+ cce@rhel9: CCE-84167-6 - - references: - cis@rhel7: 5.1.2 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -index f47ae580724..d3af795efcb 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82276-7 - cce@rhel8: CCE-82277-5 -+ cce@rhel9: CCE-84183-3 - - references: - cis@rhel7: 5.1.7 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -index ce7a7447a68..40eb753b45c 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82239-5 - cce@rhel8: CCE-82240-3 -+ cce@rhel9: CCE-84175-9 - - references: - cis@rhel7: 5.1.4 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -index dc9c7274f6e..cb0d959fecf 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82229-6 - cce@rhel8: CCE-82230-4 -+ cce@rhel9: CCE-84173-4 - - references: - cis@rhel7: 5.1.3 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -index 0ce221933e3..1bb7486b3be 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82262-7 - cce@rhel8: CCE-82263-5 -+ cce@rhel9: CCE-84181-7 - - references: - cis@rhel7: 5.1.6 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -index 0bcf7c9dfa3..ea5020367e9 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82250-2 - cce@rhel8: CCE-82253-6 -+ cce@rhel9: CCE-84187-4 - - references: - cis@rhel7: 5.1.5 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -index 4a743ab10d5..62b3623b10c 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82205-6 - cce@rhel8: CCE-82206-4 -+ cce@rhel9: CCE-84176-7 - - references: - cis@rhel7: 5.1.2 -diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -index 12bde00f86c..bd3f5894e1d 100644 ---- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80345-2 - cce@rhel8: CCE-80871-7 -+ cce@rhel9: CCE-84164-3 - - references: - disa: CCI-000381 -diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index d2c99d0d3f9..5e6aa3f246d 100644 ---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27323-5 - cce@rhel8: CCE-80875-8 -+ cce@rhel9: CCE-84163-5 - - references: - cis@rhel7: 5.1.1 -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml -index 5f6ef7037d1..e1f2ee67c0c 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80331-2 - cce@rhel8: CCE-83385-5 -+ cce@rhel9: CCE-84240-1 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index ef7cb53457e..d5a35841bb7 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80330-4 - cce@rhel8: CCE-82864-0 -+ cce@rhel9: CCE-84241-9 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index ee4527a8953..9416c1a47c3 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80325-4 - cce@rhel8: CCE-82409-4 -+ cce@rhel9: CCE-84194-0 - - references: - cis@rhel7: 2.2.8 -diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml -index abaa84ceb0f..def5fd0b715 100644 ---- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml -+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82191-8 -+ cce@rhel9: CCE-84224-5 - cce@rhcos4: CCE-82533-1 - - references: -diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml -index a8b98ce3630..69be5807c1d 100644 ---- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml -+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82249-4 -+ cce@rhel9: CCE-84227-8 - cce@rhcos4: CCE-82534-9 - - references: -diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml -index b41afade347..30f5483a471 100644 ---- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml -+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml -@@ -15,6 +15,7 @@ severity: high - identifiers: - cce@rhel7: CCE-80245-4 - cce@rhel8: CCE-82414-4 -+ cce@rhel9: CCE-84159-3 - cce@sle15: CCE-85700-3 - - references: -diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -index e6424e0162a..f43dabbda35 100644 ---- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80244-7 - cce@rhel8: CCE-82413-6 -+ cce@rhel9: CCE-84160-1 - - references: - cis@rhel7: 2.2.9 -diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -index 10808731308..880cb190c41 100644 ---- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80300-7 - cce@rhel8: CCE-82761-8 -+ cce@rhel9: CCE-84213-8 - - references: - cis@rhel7: 2.2.10 -diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -index 54235dbfe6a..d460c18646d 100644 ---- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80294-2 - cce@rhel8: CCE-82760-0 -+ cce@rhel9: CCE-84242-7 - - references: - cis@rhel7: 2.2.11 -diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml -index 3e0de0e531f..992e397de54 100644 ---- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml -+++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82175-1 -+ cce@rhel9: CCE-84221-1 - - references: - ospp: FTP_ITC_EXT.1 -diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -index 36be8d99194..6d0409fd273 100644 ---- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -18,6 +18,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82884-8 - cce@rhel8: CCE-82885-5 -+ cce@rhel9: CCE-90831-9 - - references: - cis@rhel7: 2.3.5 -diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml -index 3c851cfb227..a56d93cdae5 100644 ---- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml -+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80288-4 - cce@rhel8: CCE-81039-0 -+ cce@rhel9: CCE-90830-1 - - references: - nist: CM-7(a),CM-7(b),CM-6(a) -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml -index 28d5b41a750..3d390b35e8f 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml -+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml -@@ -21,6 +21,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82380-7 - cce@rhel8: CCE-82381-5 -+ cce@rhel9: CCE-90826-9 - cce@sle12: CCE-83031-5 - cce@sle15: CCE-85605-4 - -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -index 4a9a36ab8c3..e0e3a53d9e5 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80289-2 - cce@rhel8: CCE-82174-4 -+ cce@rhel9: CCE-90825-1 - - references: - cis@rhel7: 2.2.16 -diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 13723c22bab..a44f0c1c492 100644 ---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80230-6 - cce@rhel8: CCE-82858-2 -+ cce@rhel9: CCE-84245-0 - - references: - cis@rhel7: 2.2.18 -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index 5ecd328720e..ef2717e3116 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -@@ -17,6 +17,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80237-1 - cce@rhel8: CCE-82762-6 -+ cce@rhel9: CCE-90850-9 - - references: - cis@rhel7: 2.2.7 -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml -index 82eac90b88b..6b2313ecc21 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80239-7 - cce@rhel8: CCE-84052-0 -+ cce@rhel9: CCE-90838-4 - - references: - nist: CM-6(a),MP-2 -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml -index 4c65f182a9f..9bd6d8ddfdc 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml -@@ -19,6 +19,7 @@ identifiers: - cce@sle12: CCE-83103-2 - cce@sle15: CCE-85636-9 - cce@rhel8: CCE-84050-4 -+ cce@rhel9: CCE-84246-8 - - references: - stigid@ol7: OL07-00-021021 -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml -index 134be291155..036bc8f69b3 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml -@@ -17,6 +17,7 @@ identifiers: - cce@sle12: CCE-83102-4 - cce@sle15: CCE-85635-1 - cce@rhel8: CCE-84053-8 -+ cce@rhel9: CCE-84247-6 - - references: - stigid@ol7: OL07-00-021020 -diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml -index d8527598136..33f4764f795 100644 ---- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82933-3 - cce@rhel8: CCE-82932-5 -+ cce@rhel9: CCE-84243-5 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index 0947a2faaa8..47cb3d67b7e 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -30,6 +30,7 @@ references: - identifiers: - cce@rhel7: CCE-82878-0 - cce@rhel8: CCE-82879-8 -+ cce@rhel9: CCE-84108-0 - - ocil_clause: 'chronyd is not running under chrony user account' - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index 3583feaf04f..c36fcad3b77 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -24,6 +24,7 @@ platform: chrony - identifiers: - cce@rhel7: CCE-83418-4 - cce@rhel8: CCE-82873-1 -+ cce@rhel9: CCE-84218-7 - - references: - cis@rhel7: 2.2.1.2 -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index 0c7a01f4a15..7b8edaf8b65 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -20,6 +20,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-83419-2 - cce@rhel8: CCE-82874-9 -+ cce@rhel9: CCE-84215-3 - - references: - cis@rhel7: 2.2.1.1 -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index c582b2d6121..dad54bcbfa4 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -23,6 +23,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-83420-0 - cce@rhel8: CCE-82875-6 -+ cce@rhel9: CCE-84217-9 - - references: - cis@rhel7: 2.2.1.3 -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -index f582f8b481d..ec4a0de2f61 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-27354-0 - cce@rhel8: CCE-80850-1 -+ cce@rhel9: CCE-84155-1 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -index 2c6448da572..3a4e6d4ac78 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27443-1 - cce@rhel8: CCE-80888-1 -+ cce@rhel9: CCE-84156-9 - - references: - cis@rhel7: 2.1.7 -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index e836dc6fb10..87f57cda697 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -22,6 +22,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-27396-1 - cce@rhel8: CCE-82181-9 -+ cce@rhel9: CCE-84151-0 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index e45f5ad0135..55ad750f02d 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -20,6 +20,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27399-5 - cce@rhel8: CCE-82432-6 -+ cce@rhel9: CCE-84152-8 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -index 02e2983feee..d4880e23956 100644 ---- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -@@ -21,6 +21,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27406-8 - cce@rhel8: CCE-80842-8 -+ cce@rhel9: CCE-84145-2 - - references: - cis@rhel7: 6.2.14 -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -index 33c36cde67d..ed8c4a6c090 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml -@@ -20,6 +20,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27342-5 - cce@rhel8: CCE-82184-3 -+ cce@rhel9: CCE-84143-7 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -index 5b27c0ced97..0997a778984 100644 ---- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml -@@ -29,6 +29,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-27274-0 - cce@rhel8: CCE-82183-5 -+ cce@rhel9: CCE-84142-9 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index 597be531e87..addfd018351 100644 ---- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -18,6 +18,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-83334-3 - cce@rhel8: CCE-83335-0 -+ cce@rhel9: CCE-84140-3 - - references: - cis@rhel7: 2.2.19 -diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -index e46e4f55d00..e0667d8811f 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27210-4 - cce@rhel8: CCE-82180-1 -+ cce@rhel9: CCE-84158-5 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -index 24743fc2d66..0e3c53e4b09 100644 ---- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27432-4 - cce@rhel8: CCE-80848-5 -+ cce@rhel9: CCE-84157-7 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -index a26491259da..01c967baae8 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml -@@ -27,6 +27,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27165-0 - cce@rhel8: CCE-82182-7 -+ cce@rhel9: CCE-84149-4 - cce@sle12: CCE-83084-4 - cce@sle15: CCE-83273-3 - -diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -index afef4887348..b953c71f65c 100644 ---- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-27305-2 - cce@rhel8: CCE-80849-3 -+ cce@rhel9: CCE-84146-0 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -index b6446c2a78b..f4e0378f9e5 100644 ---- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -@@ -41,6 +41,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27401-9 - cce@rhel8: CCE-80887-3 -+ cce@rhel9: CCE-84150-2 - - references: - cis@rhel7: 2.2.19 -diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -index ca25bb21244..abcff3d8982 100644 ---- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml -@@ -20,6 +20,7 @@ severity: high - identifiers: - cce@rhel7: CCE-80213-2 - cce@rhel8: CCE-82436-7 -+ cce@rhel9: CCE-84154-4 - - references: - anssi: BP28(R1) -diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -index 71ef701ec8f..1cedfddfd2c 100644 ---- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml -+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -@@ -14,6 +14,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80282-7 - cce@rhel8: CCE-82861-6 -+ cce@rhel9: CCE-90795-6 - - references: - cis@rhel7: 2.2.4 -diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml -index f9495eef39c..5567e024ba1 100644 ---- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml -+++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml -@@ -15,6 +15,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80286-8 - cce@rhel8: CCE-82189-2 -+ cce@rhel9: CCE-84238-5 - - {{{ complete_ocil_entry_package(package="squid") }}} - -diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -index 1a538ab1e05..f12fa6f203d 100644 ---- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80285-0 - cce@rhel8: CCE-82190-0 -+ cce@rhel9: CCE-84239-3 - - references: - cis@rhel7: 2.2.13 -diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -index 4f1e4d85197..46387098d2d 100644 ---- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82831-9 -+ cce@rhel9: CCE-84223-7 - cce@rhcos4: CCE-82535-6 - - references: -diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml -index 9688f30b22f..b1dbf5b93af 100644 ---- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml -+++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-27594-1 - cce@rhel8: CCE-82187-6 -+ cce@rhel9: CCE-84191-6 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -index 8d173cf74f4..595e8da103b 100644 ---- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -+++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27191-6 - cce@rhel8: CCE-80889-9 -+ cce@rhel9: CCE-84192-4 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -index 1dba9883089..acd5c19efaf 100644 ---- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80277-7 - cce@rhel8: CCE-82759-2 -+ cce@rhel9: CCE-84201-3 - - references: - cis@rhel7: 2.2.12 -diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -index df46bd44b95..25f676360c2 100644 ---- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80274-4 - cce@rhel8: CCE-82758-4 -+ cce@rhel9: CCE-90832-7 - - references: - vmmsrg: SRG-OS-000480-VMM-002000 -diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -index 08224309561..15a190d5e49 100644 ---- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82902-8 - cce@rhel8: CCE-82901-0 -+ cce@rhel9: CCE-90817-8 - - references: - cis@rhel7: 5.2.1 -diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -index f69a5a177c0..ee707dc646f 100644 ---- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82899-6 - cce@rhel8: CCE-82898-8 -+ cce@rhel9: CCE-90821-0 - - references: - cis@rhel7: 5.2.1 -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -index ff719e2ca20..5250f1c72fb 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82895-4 - cce@rhel8: CCE-82894-7 -+ cce@rhel9: CCE-90818-6 - - references: - cis@rhel7: 5.2.1 -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -index 57f3fcf792b..f6aee9aba0c 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27485-2 - cce@rhel8: CCE-82424-3 -+ cce@rhel9: CCE-90820-2 - cce@sle12: CCE-83058-8 - cce@sle15: CCE-85644-3 - -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -index 553560b83f6..30a8002bf1a 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27311-0 - cce@rhel8: CCE-82428-4 -+ cce@rhel9: CCE-90819-4 - cce@sle12: CCE-83057-0 - cce@sle15: CCE-85643-5 - -diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -index 5f585c1a502..67bf4e7e022 100644 ---- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82722-0 -+ cce@rhel9: CCE-90836-8 - - references: - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -index 2d12bf7a8cc..46794f04946 100644 ---- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80215-7 - cce@rhel8: CCE-83303-8 -+ cce@rhel9: CCE-90823-6 - - references: - stigid@ol7: OL07-00-040300 -diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -index a7aaa4f3f9c..8ecbc74b778 100644 ---- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80216-5 - cce@rhel8: CCE-82426-8 -+ cce@rhel9: CCE-90822-8 - cce@sle12: CCE-83201-4 - cce@sle15: CCE-83297-2 - -diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -index af004f81acf..888e9aa2aab 100644 ---- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27413-4 - cce@rhel8: CCE-80786-7 -+ cce@rhel9: CCE-90816-0 - - references: - stigid@ol7: OL07-00-010470 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -index fc9d1b9b3f3..4094e612579 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -@@ -20,6 +20,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27320-1 - cce@rhel8: CCE-80894-9 -+ cce@rhel9: CCE-90812-9 - - references: - stigid@ol7: OL07-00-040390 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml -index 54f40e75063..2e56c574a6c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80224-9 - cce@rhel8: CCE-80895-6 -+ cce@rhel9: CCE-90801-2 - cce@sle12: CCE-83062-0 - cce@sle15: CCE-85647-6 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -index 9e1cf6aae75..a8a1497d84d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -@@ -21,6 +21,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27471-2 - cce@rhel8: CCE-80896-4 -+ cce@rhel9: CCE-90799-8 - cce@sle12: CCE-83014-1 - cce@sle15: CCE-85667-4 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml -index c15ef0c36a2..282b850f24c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80220-7 - cce@rhel8: CCE-80897-2 -+ cce@rhel9: CCE-90808-7 - - references: - stigid@ol7: OL07-00-040430 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml -index 206a7c1399d..76708e44e1e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80221-5 - cce@rhel8: CCE-80898-0 -+ cce@rhel9: CCE-90802-0 - - references: - stigid@ol7: OL07-00-040440 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -index d9bbe22ec98..2d8670ee211 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27377-1 - cce@rhel8: CCE-80899-8 -+ cce@rhel9: CCE-90797-2 - cce@rhcos4: CCE-82665-1 - - references: -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -index 5b36e99912a..3d987f0281d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27445-6 - cce@rhel8: CCE-80901-2 -+ cce@rhel9: CCE-90800-4 - cce@sle12: CCE-83035-6 - cce@sle15: CCE-85557-7 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml -index 9a0a7b6dfa5..b9282f8c0dc 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83301-2 -+ cce@rhel9: CCE-90806-1 - - references: - cis@rhel8: 5.2.17 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml -index cd63b670a25..2580b3cdfe4 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80372-6 - cce@rhel8: CCE-80902-0 -+ cce@rhel9: CCE-90796-4 - cce@sle12: CCE-83056-2 - cce@sle15: CCE-85642-7 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index b93aa2e6430..7da4e89cd6b 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83359-0 - cce@rhel8: CCE-83360-8 -+ cce@rhel9: CCE-90798-0 - cce@sle15: CCE-85707-8 - - references: -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -index 006a8496cef..cd08a39312b 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27363-1 - cce@rhel8: CCE-80903-8 -+ cce@rhel9: CCE-90803-8 - cce@sle12: CCE-83015-8 - cce@sle15: CCE-85666-6 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml -index 757ffe95f0e..6edd3480966 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80222-3 - cce@rhel8: CCE-80904-6 -+ cce@rhel9: CCE-90809-5 - cce@sle12: CCE-83060-4 - cce@sle15: CCE-85645-0 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -index c2c045ceb48..b8c7e45edf0 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27314-4 - cce@rhel8: CCE-80905-3 -+ cce@rhel9: CCE-90807-9 - cce@sle12: CCE-83066-1 - cce@sle15: CCE-83263-4 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml -index 886a03cdadd..d4a520437bb 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80225-6 - cce@rhel8: CCE-82281-7 -+ cce@rhel9: CCE-90804-6 - cce@sle12: CCE-83083-6 - cce@sle15: CCE-85563-5 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -index 84eb61830ff..a4f65562d73 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -@@ -18,6 +18,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82177-7 -+ cce@rhel9: CCE-90815-2 - - references: - ospp: FCS_SSHS_EXT.1 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index 7444e9680d1..7b49ebbbefb 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27433-2 - cce@rhel8: CCE-80906-1 -+ cce@rhel9: CCE-90811-1 - cce@rhcos4: CCE-82549-7 - cce@sle12: CCE-83027-3 - cce@sle15: CCE-83281-6 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -index 3995cd8c4ad..5b08b3b93fb 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27082-7 - cce@rhel8: CCE-80907-9 -+ cce@rhel9: CCE-90805-3 - cce@rhcos4: CCE-82464-9 - cce@sle12: CCE-83034-9 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -index 2f170a1a3c8..f6c57ccd113 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -@@ -21,6 +21,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80645-5 - cce@rhel8: CCE-82282-5 -+ cce@rhel9: CCE-90813-7 - - references: - cis@debian10: 9.3.2 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -index c7aa0e8899e..806953fd3c8 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82354-2 - cce@rhel8: CCE-83500-9 -+ cce@rhel9: CCE-90810-3 - - references: - cis@debian9: 9.3.5 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml -index 2782b71905a..a283a97f99a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83357-4 -+ cce@rhel9: CCE-84103-1 - - references: - cis@rhel8: 5.2.19 -diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml -index 7202c3b73e7..88c5f0a0684 100644 ---- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml -+++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml -@@ -18,6 +18,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82168-6 -+ cce@rhel9: CCE-84206-2 - cce@rhcos4: CCE-82538-0 - - references: -diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml -index e7d3514efb0..dfc9d60d51c 100644 ---- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml -+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml -@@ -41,6 +41,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82960-6 - cce@rhel8: CCE-82959-8 -+ cce@rhel9: CCE-84203-9 - cce@rhcos4: CCE-82524-0 - - references: -diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml -index a111d010844..28136f33936 100644 ---- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml -+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml -@@ -18,6 +18,7 @@ platform: machine - - identifiers: - cce@rhel8: CCE-82853-3 -+ cce@rhel9: CCE-84205-4 - cce@rhcos4: CCE-82537-2 - - references: -diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml -index 49fbfceb390..2f54b61c9b0 100644 ---- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml -+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml -@@ -24,6 +24,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82368-2 -+ cce@rhel9: CCE-84210-4 - cce@rhcos4: CCE-82539-8 - - references: -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index b1f1c590828..9c3e5853578 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27218-7 - cce@rhel8: CCE-82757-6 -+ cce@rhel9: CCE-84104-9 - - references: - cis@rhel7: 2.2.2 -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -index 10d5efe93f4..d4ae55e76e3 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -@@ -37,6 +37,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83410-1 - cce@rhel8: CCE-83411-9 -+ cce@rhel9: CCE-84106-4 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -index e64ddd91807..4a33f52bb91 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27285-6 - cce@rhel8: CCE-83380-6 -+ cce@rhel9: CCE-84105-6 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -index 8dde113ea69..42313d7861f 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -@@ -84,6 +84,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27303-7 - cce@rhel8: CCE-80763-6 -+ cce@rhel9: CCE-83557-9 - cce@rhcos4: CCE-82555-4 - cce@sle12: CCE-83054-7 - cce@sle15: CCE-83262-6 -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index fcc47279783..bb74c68d893 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -@@ -51,6 +51,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83394-7 - cce@rhel8: CCE-83496-0 -+ cce@rhel9: CCE-83559-5 - - references: - cis@rhel7: 1.7.1. -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -index b30f8cde0f1..8bca4673c92 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83347-5 - cce@rhel8: CCE-83348-3 -+ cce@rhel9: CCE-83551-2 - - references: - cis@rhel7: 1.7.5 -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -index 460cc2f5d95..bd29403c607 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83337-6 - cce@rhel8: CCE-83338-4 -+ cce@rhel9: CCE-83554-6 - - references: - cis@rhel7: 1.7.4 -diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -index 1662306b3a9..fc4f0e4b87d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -@@ -29,6 +29,7 @@ severity: low - identifiers: - cce@rhel7: CCE-27275-7 - cce@rhel8: CCE-80788-3 -+ cce@rhel9: CCE-83560-3 - cce@sle12: CCE-83149-5 - cce@sle15: CCE-85560-1 - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index cb90c7ce004..98c5f2922be 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82030-8 - cce@rhel8: CCE-80666-1 -+ cce@rhel9: CCE-83584-3 - cce@sle15: CCE-85678-1 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -index 37434a1f593..cee6c05fd97 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27350-8 - cce@rhel8: CCE-80667-9 -+ cce@rhel9: CCE-83587-6 - - references: - stigid@ol7: OL07-00-010320 -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -index da61edfad1f..a03264066f1 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80353-6 - cce@rhel8: CCE-80668-7 -+ cce@rhel9: CCE-83589-2 - - references: - stigid@ol7: OL07-00-010330 -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -index 7dd0b99acf3..87026e13fb3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -@@ -37,6 +37,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27297-1 - cce@rhel8: CCE-80669-5 -+ cce@rhel9: CCE-83583-5 - - references: - stigid@ol7: OL07-00-010320 -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -index 08902f5a931..2eb38a4ba6f 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-26884-7 - cce@rhel8: CCE-80670-3 -+ cce@rhel9: CCE-83588-4 - - references: - stigid@ol7: OL07-00-010320 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -index c575ed1c153..b76cf3ad00c 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27214-6 - cce@rhel8: CCE-80653-9 -+ cce@rhel9: CCE-83566-0 - - references: - stigid@ol7: OL07-00-010140 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -index 44f24e8cfb0..f0408f872b8 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -@@ -32,6 +32,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82020-9 - cce@rhel8: CCE-80654-7 -+ cce@rhel9: CCE-83564-5 - - references: - stigid@ol7: OL07-00-010160 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -index 20361952d6b..245e97485a3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27345-8 - cce@rhel8: CCE-80655-4 -+ cce@rhel9: CCE-83570-2 - - references: - stigid@ol7: OL07-00-010130 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -index a1eaf377d24..c2a456fabd4 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27512-3 - cce@rhel8: CCE-81034-1 -+ cce@rhel9: CCE-83575-1 - - references: - stigid@ol7: OL07-00-010190 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -index b4fc71af15b..2ee715f20ce 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82055-5 - cce@rhel8: CCE-82066-2 -+ cce@rhel9: CCE-83567-8 - - references: - stigid@ol7: OL07-00-010180 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -index 1738c4a07c0..509ba7d0f3b 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -@@ -39,6 +39,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82045-6 - cce@rhel8: CCE-82046-4 -+ cce@rhel9: CCE-83563-7 - - references: - stigid@ol7: OL07-00-010170 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -index 529799224b3..b395ce336e2 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27293-0 - cce@rhel8: CCE-80656-2 -+ cce@rhel9: CCE-83579-3 - - references: - stigid@ol7: OL07-00-010280 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -index 2f42a13c24b..3f64ac5fff7 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27360-7 - cce@rhel8: CCE-80663-8 -+ cce@rhel9: CCE-83565-2 - - references: - stigid@ol7: OL07-00-010150 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index f1f65e3b03d..c1ef5e5f64d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27160-1 - cce@rhel8: CCE-80664-6 -+ cce@rhel9: CCE-83569-4 - - references: - stigid@ol7: OL07-00-010119 -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -index a55c1b17003..33c60084985 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27200-5 - cce@rhel8: CCE-80665-3 -+ cce@rhel9: CCE-83568-6 - - references: - stigid@ol7: OL07-00-010120 -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index b0ecbd2bf1e..282c6182af8 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -46,6 +46,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82043-1 - cce@rhel8: CCE-80893-1 -+ cce@rhel9: CCE-83581-9 - cce@sle12: CCE-83184-2 - cce@sle15: CCE-85565-0 - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index bc8c0a224b1..91515fcda12 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82185-0 - cce@rhel8: CCE-82186-8 -+ cce@rhel9: CCE-83592-6 - - references: - stigid@rhel7: RHEL-07-010481 -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 3dee04454c3..49e084358b2 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27287-2 - cce@rhel8: CCE-80855-0 -+ cce@rhel9: CCE-83594-2 - cce@rhcos4: CCE-82550-5 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml -index b6f9df180ea..70f73ee2865 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82963-0 - cce@rhel8: CCE-80644-8 -+ cce@rhel9: CCE-83599-1 - - references: - cui: 3.1.10 -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -index 652e9287759..be1ca56f2da 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -@@ -38,6 +38,7 @@ identifiers: - cce@sle12: CCE-83177-6 - cce@sle15: CCE-83292-3 - cce@rhel8: CCE-84029-8 -+ cce@rhel9: CCE-83596-7 - - references: - stigid@ol7: OL07-00-041001 -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -index 5f8caa69b5e..dfcf1709d0d 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80568-9 - cce@rhel8: CCE-80846-9 -+ cce@rhel9: CCE-83595-9 - - references: - disa: CCI-001954,CCI-001953 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -index 0c538123879..71c05cec2a7 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27355-7 - cce@rhel8: CCE-80954-1 -+ cce@rhel9: CCE-83627-0 - cce@rhcos4: CCE-82695-8 - cce@sle12: CCE-83051-3 - cce@sle15: CCE-85558-5 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -index 6ef67acd5a1..4ef020cccff 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80208-2 - cce@rhel8: CCE-80674-5 -+ cce@rhel9: CCE-83628-8 - - references: - cjis: 5.5.2 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index 15486e55f95..e89543ee542 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27051-2 - cce@rhel8: CCE-80647-1 -+ cce@rhel9: CCE-83606-4 - cce@sle12: CCE-83050-5 - cce@sle15: CCE-85570-0 - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -index 31cf2d2124c..3bb7d560c33 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82036-5 - cce@rhel8: CCE-80648-9 -+ cce@rhel9: CCE-83610-6 - cce@sle12: CCE-83049-7 - cce@sle15: CCE-85720-1 - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -index 4f316230045..6fc5842a7cb 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82049-8 - cce@rhel8: CCE-80652-1 -+ cce@rhel9: CCE-83608-0 - - references: - cjis: 5.6.2.1 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -index 3b51e91d080..3cee41c8ab3 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82016-7 - cce@rhel8: CCE-80671-1 -+ cce@rhel9: CCE-83609-8 - - references: - cui: 3.5.8 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml -index 0563b15fc4e..a018101e9fa 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27352-4 - cce@rhel8: CCE-80651-3 -+ cce@rhel9: CCE-83618-9 - - references: - cjis: 5.5.2 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml -index 71c7f51f1fd..e0219783963 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83402-8 - cce@rhel8: CCE-83403-6 -+ cce@rhel9: CCE-83615-5 - - references: - anssi: BP28(R32) -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml -index e4912d51154..36181c5b094 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83384-8 - cce@rhel8: CCE-83386-3 -+ cce@rhel9: CCE-83621-3 - - references: - anssi: BP28(R32) -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml -index 4f48f364505..97a37c42f91 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml -@@ -14,6 +14,7 @@ severity: low - identifiers: - cce@rhel7: CCE-27503-2 - cce@rhel8: CCE-80822-0 -+ cce@rhel9: CCE-83613-0 - - references: - stigid@ol7: OL07-00-020300 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml -index 4f0c5894d10..eb36cc54ff4 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml -@@ -24,6 +24,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27286-4 - cce@rhel8: CCE-80841-0 -+ cce@rhel9: CCE-83611-4 - cce@rhcos4: CCE-82553-9 - cce@sle12: CCE-83039-8 - cce@sle15: CCE-85576-7 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -index f9799183e0c..126f2ba5645 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83388-9 - cce@rhel8: CCE-83389-7 -+ cce@rhel9: CCE-83616-3 - - references: - cis@rhel7: 6.2.4 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -index 1703c8b7ff4..12e9a1253e1 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82889-7 - cce@rhel8: CCE-82890-5 -+ cce@rhel9: CCE-83620-5 - - references: - cis@rhel7: 6.2.2 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -index 94ba6160154..102c4def630 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83390-5 - cce@rhel8: CCE-84290-6 -+ cce@rhel9: CCE-83612-2 - - references: - cis@rhel7: 6.2.3 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -index 9e9ac4a3d87..1781d30ce87 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80211-6 - cce@rhel8: CCE-83444-0 -+ cce@rhel9: CCE-83617-1 - cce@rhcos4: CCE-82667-7 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -index 0174370d54c..4357fd62803 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -@@ -24,6 +24,7 @@ severity: high - identifiers: - cce@rhel7: CCE-82054-8 - cce@rhel8: CCE-80649-7 -+ cce@rhel9: CCE-83624-7 - cce@rhcos4: CCE-82699-0 - cce@sle12: CCE-83020-8 - cce@sle15: CCE-85664-1 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -index cf261e7dbc4..ee402c27798 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27294-8 - cce@rhel8: CCE-80840-2 -+ cce@rhel9: CCE-83625-4 - cce@rhcos4: CCE-82698-2 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -index 65e41ca5c18..b82172844fd 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82015-9 - cce@rhel8: CCE-80843-6 -+ cce@rhel9: CCE-83623-9 - cce@rhcos4: CCE-82697-4 - cce@sle15: CCE-85672-4 - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml -index 1755f68c28e..0828e1c14e4 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27268-2 - cce@rhel8: CCE-80856-8 -+ cce@rhel9: CCE-83622-1 - - references: - cui: '3.1.1,3.1.5' -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -index e53917e4f22..3d04c7ec7ec 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27318-5 - cce@rhel8: CCE-80864-2 -+ cce@rhel9: CCE-83626-2 - - references: - cui: '3.1.1,3.1.5' -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -index d1da3b69637..c5696d27985 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -@@ -17,6 +17,7 @@ identifiers: - cce@rhel7: CCE-80352-8 - cce@sle12: CCE-83028-1 - cce@rhel8: CCE-84037-1 -+ cce@rhel9: CCE-83635-3 - - references: - stigid@ol7: OL07-00-010430 -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -index 50ae13a1df7..dfc5836d665 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -@@ -20,6 +20,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82041-5 - cce@rhel8: CCE-80955-8 -+ cce@rhel9: CCE-83641-1 - cce@sle12: CCE-83065-3 - cce@sle15: CCE-85555-1 - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml -index abe3c4e82a8..74e0ee3261e 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-83731-0 - cce@rhel8: CCE-83732-8 -+ cce@rhel9: CCE-90827-7 - - references: - anssi: BP28(R39) -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml -index 5ded3a505f8..312a2ab6987 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-83777-3 - cce@rhel8: CCE-83778-1 -+ cce@rhel9: CCE-83642-9 - - references: - anssi: BP28(R39) -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index 5130296ad98..4c890a9ed9f 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27557-8 - cce@rhel8: CCE-80673-7 -+ cce@rhel9: CCE-83633-8 - cce@sle12: CCE-83011-7 - cce@sle15: CCE-83269-1 - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index ac541680fa7..bd075ed358c 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80529-1 - cce@rhel8: CCE-83424-2 -+ cce@rhel9: CCE-83639-5 - cce@sle12: CCE-83074-5 - cce@sle15: CCE-85628-6 - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 237e7e86c12..bfd92f73cfe 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80532-5 - cce@rhel8: CCE-83434-1 -+ cce@rhel9: CCE-83629-6 - cce@sle12: CCE-83096-8 - cce@sle15: CCE-85711-0 - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml -index 044118cbdcd..722603ca78c 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml -@@ -21,6 +21,7 @@ identifiers: - cce@sle12: CCE-83097-6 - cce@sle15: CCE-85630-2 - cce@rhel8: CCE-84043-9 -+ cce@rhel9: CCE-83637-9 - - references: - stigid@ol7: OL07-00-020710 -diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml -index e070fdb6669..6f2e53f38da 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml -@@ -21,6 +21,7 @@ identifiers: - cce@sle12: CCE-83076-0 - cce@sle15: CCE-85629-4 - cce@rhel8: CCE-84038-9 -+ cce@rhel9: CCE-83634-6 - - references: - stigid@ol7: OL07-00-020630 -diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -index f3b68707cb0..95e67220245 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80201-7 - cce@rhel8: CCE-84274-0 -+ cce@rhel9: CCE-83638-7 - - references: - disa: CCI-000225 -diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml -index 73ebb701cc8..1f09ce4d10e 100644 ---- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80200-9 - cce@rhel8: CCE-80672-9 -+ cce@rhel9: CCE-83643-7 - - references: - disa: CCI-000366 -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index d9afad723ef..3ddbc2272db 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80202-5 - cce@rhel8: CCE-81036-6 -+ cce@rhel9: CCE-83644-5 - cce@rhcos4: CCE-84260-9 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -index 99c7f274bd5..e4f7690f9c7 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80205-8 - cce@rhel8: CCE-82888-9 -+ cce@rhel9: CCE-83647-8 - cce@sle12: CCE-83052-1 - cce@sle15: CCE-85659-1 - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml -index 2ccc8b93149..e2531c67eb5 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml -@@ -17,6 +17,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80204-1 - cce@rhel8: CCE-81035-8 -+ cce@rhel9: CCE-90828-5 - cce@rhcos4: CCE-84262-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -index 7f4367ca2e8..826c83f6026 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27339-1 - cce@rhel8: CCE-80685-1 -+ cce@rhel9: CCE-83830-0 - cce@rhcos4: CCE-82556-2 - cce@sle12: CCE-83106-5 - cce@sle15: CCE-85693-0 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -index a5f3f15bf35..05a2bb66ee9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27364-9 - cce@rhel8: CCE-80686-9 -+ cce@rhel9: CCE-83812-8 - cce@rhcos4: CCE-82557-0 - cce@sle12: CCE-83137-0 - cce@sle15: CCE-85690-6 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -index 48f1016a4c7..11c083e8cc1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27393-8 - cce@rhel8: CCE-80687-7 -+ cce@rhel9: CCE-83832-6 - cce@rhcos4: CCE-82558-8 - cce@sle12: CCE-83133-9 - cce@sle15: CCE-85694-8 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -index b1da8c2e2d9..43a95de5a29 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27388-8 - cce@rhel8: CCE-80688-5 -+ cce@rhel9: CCE-83822-7 - cce@rhcos4: CCE-82559-6 - cce@sle12: CCE-83132-1 - cce@sle15: CCE-85695-5 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -index 4688f94c29e..5499a793840 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -@@ -32,6 +32,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27356-5 - cce@rhel8: CCE-80689-3 -+ cce@rhel9: CCE-83829-2 - cce@rhcos4: CCE-82560-4 - cce@sle12: CCE-83136-2 - cce@sle15: CCE-85721-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -index 94bf93b456e..6ac0c29bb8b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27387-0 - cce@rhel8: CCE-80690-1 -+ cce@rhel9: CCE-83831-8 - cce@rhcos4: CCE-82561-2 - cce@sle12: CCE-83134-7 - cce@sle15: CCE-85692-2 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -index 6c6490cec14..2c57c277664 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -@@ -34,6 +34,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27353-2 - cce@rhel8: CCE-80691-9 -+ cce@rhel9: CCE-83821-9 - cce@rhcos4: CCE-82562-0 - cce@sle12: CCE-83138-8 - cce@sle15: CCE-85686-4 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -index f8d076876e0..bbb177ebd9a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27389-6 - cce@rhel8: CCE-80692-7 -+ cce@rhel9: CCE-83817-7 - cce@rhcos4: CCE-82563-8 - cce@sle12: CCE-83141-2 - cce@sle15: CCE-85688-0 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -index 746f5b38f70..2682b06a4ba 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27083-5 - cce@rhel8: CCE-80693-5 -+ cce@rhel9: CCE-83833-4 - cce@rhcos4: CCE-82564-6 - cce@sle12: CCE-83135-4 - cce@sle15: CCE-85691-4 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -index cada76ea71f..c5b7f0a4b1a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -@@ -34,6 +34,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27410-0 - cce@rhel8: CCE-80694-3 -+ cce@rhel9: CCE-83814-4 - cce@rhcos4: CCE-82565-3 - cce@sle12: CCE-83139-6 - cce@sle15: CCE-85685-6 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -index 7b8a48e4295..ccc2520da57 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27280-7 - cce@rhel8: CCE-80695-0 -+ cce@rhel9: CCE-83808-6 - cce@rhcos4: CCE-82566-1 - cce@sle15: CCE-85689-8 - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -index 839857dfbbe..89895b2802c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27367-2 - cce@rhel8: CCE-80696-8 -+ cce@rhel9: CCE-83807-8 - cce@rhcos4: CCE-82567-9 - cce@sle12: CCE-83140-4 - cce@sle15: CCE-85684-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -index 413b11ebcc3..83511fa4bcf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27213-8 - cce@rhel8: CCE-80697-6 -+ cce@rhel9: CCE-83811-0 - cce@rhcos4: CCE-82568-7 - cce@sle12: CCE-83142-0 - cce@sle15: CCE-85687-2 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -index 0972a0a04ef..f94d9209106 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -@@ -41,6 +41,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80393-2 - cce@rhel8: CCE-80698-4 -+ cce@rhel9: CCE-83748-4 - cce@rhcos4: CCE-82569-5 - cce@sle12: CCE-83215-4 - cce@sle15: CCE-85716-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -index 4b199b8bca6..8c8a39007cb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80394-0 - cce@rhel8: CCE-80699-2 -+ cce@rhel9: CCE-83749-2 - cce@rhcos4: CCE-82570-3 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -index 673bdaf3e2a..6280105ce22 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80391-6 - cce@rhel8: CCE-80700-8 -+ cce@rhel9: CCE-83750-0 - cce@rhcos4: CCE-82571-1 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -index 0440dc51191..dfbfce4df9a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80660-4 - cce@rhel8: CCE-82280-9 -+ cce@rhel9: CCE-83736-9 - cce@rhcos4: CCE-82572-9 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -index 894b1e83fcd..773c1829179 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80392-4 - cce@rhel8: CCE-80701-6 -+ cce@rhel9: CCE-83751-8 - cce@rhcos4: CCE-82573-7 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -index 80dc8e2825a..f616cc6940e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82362-5 - cce@rhel8: CCE-80933-5 -+ cce@rhel9: CCE-83746-8 - cce@rhcos4: CCE-82574-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -index ae2fc418856..453f4ab4354 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27206-2 - cce@rhel8: CCE-80702-4 -+ cce@rhel9: CCE-83752-6 - - references: - cis@rhel7: 4.1.14 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -index 237403a21c8..1c2149fae72 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80995-4 - cce@rhel8: CCE-80703-2 -+ cce@rhel9: CCE-83754-2 - cce@rhcos4: CCE-82575-2 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -index f8ee193dbfa..5dfc167e34d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80413-8 - cce@rhel8: CCE-80704-0 -+ cce@rhel9: CCE-83756-7 - cce@rhcos4: CCE-82576-0 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -index 7061949cbe2..49f5c093061 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80412-0 - cce@rhel8: CCE-80705-7 -+ cce@rhel9: CCE-83758-3 - cce@rhcos4: CCE-82577-8 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -index 5b4677af2bc..80f1483e895 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80996-2 - cce@rhel8: CCE-80706-5 -+ cce@rhel9: CCE-83757-5 - cce@rhcos4: CCE-82578-6 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -index f0eb0092d79..b6a1a10f75f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80662-0 - cce@rhel8: CCE-80707-3 -+ cce@rhel9: CCE-83755-9 - cce@rhcos4: CCE-82579-4 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -index 2a8763f30b4..7454775a900 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -@@ -35,6 +35,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27347-4 - cce@rhel8: CCE-80750-3 -+ cce@rhel9: CCE-83793-0 - - references: - cjis: 5.4.1.1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -index 648095bb69f..27423e6deaf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -@@ -35,6 +35,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80385-8 - cce@rhel8: CCE-80751-1 -+ cce@rhel9: CCE-83786-4 - cce@rhcos4: CCE-82621-4 - cce@sle12: CCE-83092-7 - cce@sle15: CCE-85681-5 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -index 5f4e10fc1ac..3391cd44a3d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -@@ -38,6 +38,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80390-8 - cce@rhel8: CCE-80752-9 -+ cce@rhel9: CCE-83800-3 - cce@rhcos4: CCE-82629-7 - cce@sle12: CCE-83091-9 - cce@sle15: CCE-85696-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -index 5761374a4f8..7c9441884d3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -@@ -38,6 +38,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80386-6 - cce@rhel8: CCE-80753-7 -+ cce@rhel9: CCE-83801-1 - cce@rhcos4: CCE-82633-9 - cce@sle12: CCE-83131-3 - cce@sle15: CCE-85680-7 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -index 7cf89f50dde..4b4c259cd63 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -@@ -35,6 +35,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80388-2 - cce@rhel8: CCE-80755-2 -+ cce@rhel9: CCE-83796-3 - cce@rhcos4: CCE-82640-4 - cce@sle12: CCE-83094-3 - cce@sle15: CCE-85683-1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -index a4b9c22956c..7b44a725d6f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -@@ -38,6 +38,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80387-4 - cce@rhel8: CCE-80754-5 -+ cce@rhel9: CCE-83794-8 - cce@rhcos4: CCE-82634-7 - cce@sle12: CCE-83093-5 - cce@sle15: CCE-85682-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -index f0ac52a2ab9..899c453b947 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -@@ -38,6 +38,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80389-0 - cce@rhel8: CCE-80756-0 -+ cce@rhel9: CCE-83792-2 - cce@rhcos4: CCE-82651-1 - cce@sle12: CCE-83085-1 - cce@sle15: CCE-85608-8 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -index 446766d0e50..35cb29e095f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27129-6 - cce@rhel8: CCE-80709-9 -+ cce@rhel9: CCE-83804-5 - - references: - cis@rhel7: 4.1.17 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index d8ce90bf575..c96fbb705c8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80415-3 - cce@rhel8: CCE-80711-5 -+ cce@rhel9: CCE-83802-9 - cce@rhcos4: CCE-82580-2 - cce@sle12: CCE-83128-9 - cce@sle15: CCE-85748-2 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index cf4dea7a588..43b487f06b3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80547-3 - cce@rhel8: CCE-80712-3 -+ cce@rhel9: CCE-83803-7 - cce@rhcos4: CCE-82581-0 - cce@sle12: CCE-83129-7 - cce@sle15: CCE-85749-0 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index b84eb7c5593..150ae82de02 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80414-6 - cce@rhel8: CCE-80713-1 -+ cce@rhel9: CCE-90835-0 - cce@rhcos4: CCE-82582-8 - cce@sle12: CCE-83130-5 - cce@sle15: CCE-85750-8 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -index bb7d9672a55..e54d1c98fa3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -@@ -31,6 +31,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27204-7 - cce@rhel8: CCE-80717-2 -+ cce@rhel9: CCE-83784-9 - - references: - cjis: 5.4.1.1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -index e59377bf222..a196008d371 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80383-3 - cce@rhel8: CCE-80718-0 -+ cce@rhel9: CCE-83783-1 - cce@rhcos4: CCE-82583-6 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index 9c2bd1eac7e..b83e36f9844 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80384-1 - cce@rhel8: CCE-80719-8 -+ cce@rhel9: CCE-83785-6 - cce@rhcos4: CCE-82584-4 - cce@sle12: CCE-83108-1 - cce@sle15: CCE-85598-1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -index 50cbffd31a3..0f5c73acfd9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80994-7 - cce@rhel8: CCE-80720-6 -+ cce@rhel9: CCE-83782-3 - cce@rhcos4: CCE-82585-1 - cce@sle12: CCE-83107-3 - cce@sle15: CCE-85597-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -index cf997bbcf4a..32731527a24 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -@@ -39,6 +39,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27437-3 - cce@rhel8: CCE-80724-8 -+ cce@rhel9: CCE-83759-1 - cce@rhcos4: CCE-82589-3 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -index dcfbe5de239..92fc399b45c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80398-1 - cce@rhel8: CCE-80725-5 -+ cce@rhel9: CCE-83765-8 - cce@rhcos4: CCE-82591-9 - cce@sle12: CCE-83110-7 - cce@sle15: CCE-85587-4 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -index 43d151984d8..bf559c8fad2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80404-7 - cce@rhel8: CCE-80726-3 -+ cce@rhel9: CCE-83763-3 - cce@rhcos4: CCE-82592-7 - cce@sle12: CCE-83163-6 - cce@sle15: CCE-85586-6 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -index cdbcd540e15..483c8fb4e84 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80410-4 - cce@rhel8: CCE-80727-1 -+ cce@rhel9: CCE-83761-7 - cce@rhcos4: CCE-82593-5 - cce@sle12: CCE-83126-3 - cce@sle15: CCE-85588-2 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -index 64ebb4b3274..ec514df8a96 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80397-3 - cce@rhel8: CCE-80728-9 -+ cce@rhel9: CCE-83773-2 - cce@rhcos4: CCE-82594-3 - cce@sle12: CCE-83161-0 - cce@sle15: CCE-85584-1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -index a7b1ab0a6f3..f6b09b92430 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80403-9 - cce@rhel8: CCE-80729-7 -+ cce@rhel9: CCE-83766-6 - cce@rhcos4: CCE-82597-6 - cce@sle12: CCE-83162-8 - cce@sle15: CCE-85585-8 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -index c113d75ffb8..cf5804a4eb0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -@@ -41,6 +41,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80411-2 - cce@rhel8: CCE-80730-5 -+ cce@rhel9: CCE-83767-4 - cce@rhcos4: CCE-82599-2 - cce@sle12: CCE-83127-1 - cce@sle15: CCE-85601-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -index df3e1b83dce..6c76998b4e5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80395-7 - cce@rhel8: CCE-80731-3 -+ cce@rhel9: CCE-83781-5 - cce@rhcos4: CCE-82600-8 - cce@sle12: CCE-83160-2 - cce@sle15: CCE-85583-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -index 6316f31e664..843c42e8c00 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80406-2 - cce@rhel8: CCE-80732-1 -+ cce@rhel9: CCE-83769-0 - cce@rhcos4: CCE-82601-6 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -index 528018fe8a9..6ab088d9adb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80407-0 - cce@rhel8: CCE-80733-9 -+ cce@rhel9: CCE-83770-8 - cce@rhcos4: CCE-82602-4 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -index d32a3c45662..1fdfcda2c17 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -@@ -37,6 +37,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80408-8 - cce@rhel8: CCE-80735-4 -+ cce@rhel9: CCE-83776-5 - cce@rhcos4: CCE-82604-0 - cce@sle12: CCE-83159-4 - cce@sle15: CCE-85582-5 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -index bcb50c6b080..592d53e37ff 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80400-5 - cce@rhel8: CCE-80736-2 -+ cce@rhel9: CCE-83771-6 - cce@rhcos4: CCE-82605-7 - cce@sle12: CCE-83143-8 - cce@sle15: CCE-85602-1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -index 83775fefe5f..759bbbfdda0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80401-3 - cce@rhel8: CCE-80737-0 -+ cce@rhel9: CCE-83780-7 - cce@rhcos4: CCE-82606-5 - cce@sle12: CCE-83144-6 - cce@sle15: CCE-85603-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -index 6f8ed9f3163..45f851653cd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80402-1 - cce@rhel8: CCE-80738-8 -+ cce@rhel9: CCE-83764-1 - cce@rhcos4: CCE-82607-3 - cce@sle15: CCE-85717-7 - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -index abf9d895013..db04572f95a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80405-4 - cce@rhel8: CCE-80739-6 -+ cce@rhel9: CCE-83762-5 - cce@rhcos4: CCE-82608-1 - cce@sle12: CCE-83158-6 - cce@sle15: CCE-85734-2 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -index f1b9dd19237..b3a13b54621 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80396-5 - cce@rhel8: CCE-80740-4 -+ cce@rhel9: CCE-83768-2 - cce@rhcos4: CCE-82609-9 - cce@sle12: CCE-83109-9 - cce@sle15: CCE-85727-6 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -index 8d92480f717..e32b43bb00d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80399-9 - cce@rhel8: CCE-80741-2 -+ cce@rhel9: CCE-83760-9 - cce@rhcos4: CCE-82610-7 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -index f42bcf1a18c..e37327bf154 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27097-5 - cce@rhel8: CCE-80708-1 -+ cce@rhel9: CCE-83716-1 - cce@rhcos4: CCE-82668-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -index 3567507042f..bce6d2534dd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27168-4 - cce@rhel8: CCE-80721-4 -+ cce@rhel9: CCE-83721-1 - cce@rhcos4: CCE-82586-9 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -index 883b19d998e..ec97d311975 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27447-2 - cce@rhel8: CCE-80722-2 -+ cce@rhel9: CCE-83735-1 - cce@rhcos4: CCE-82587-7 - cce@sle12: CCE-83217-0 - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -index 134cc80a7d4..7f354a63867 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27076-9 - cce@rhel8: CCE-80723-0 -+ cce@rhel9: CCE-83706-2 - cce@rhcos4: CCE-82588-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -index ddaa1f504b1..a0a232d14b0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27301-1 - cce@rhel8: CCE-80742-0 -+ cce@rhel9: CCE-83713-8 - cce@rhcos4: CCE-82612-3 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -index b1d13fba2b8..4e095e9fcce 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27461-3 - cce@rhel8: CCE-80743-8 -+ cce@rhel9: CCE-83729-4 - cce@rhcos4: CCE-82613-1 - cce@sle15: CCE-85679-9 - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -index 18ee888a8e6..240b0dcff30 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80997-0 - cce@rhel8: CCE-80744-6 -+ cce@rhel9: CCE-83709-6 - - references: - stigid@ol7: OL07-00-030010 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -index a09d23f6dff..f0580448f18 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -@@ -34,6 +34,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27192-4 - cce@rhel8: CCE-80757-8 -+ cce@rhel9: CCE-83715-3 - - references: - stigid@ol7: OL07-00-030710 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -index f4f5820b617..1fab77b25f3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80433-6 - cce@rhel8: CCE-80758-6 -+ cce@rhel9: CCE-83722-9 - cce@rhcos4: CCE-82654-5 - cce@sle12: CCE-83121-4 - cce@sle15: CCE-85578-3 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -index 3f48685b35b..889d3bf1c79 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80432-8 - cce@rhel8: CCE-80759-4 -+ cce@rhel9: CCE-83723-7 - cce@rhcos4: CCE-82655-2 - cce@sle12: CCE-83095-0 - cce@sle15: CCE-85580-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -index 5e3eba4b3f5..d4cc22ee1a1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80430-2 - cce@rhel8: CCE-80760-2 -+ cce@rhel9: CCE-83712-0 - cce@rhcos4: CCE-82656-0 - cce@sle12: CCE-83123-0 - cce@sle15: CCE-85728-4 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -index 0c545fd0c66..6930d0d20be 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80435-1 - cce@rhel8: CCE-80761-0 -+ cce@rhel9: CCE-83714-6 - cce@rhcos4: CCE-82657-8 - cce@sle12: CCE-83120-6 - cce@sle15: CCE-85577-5 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -index d4763ca4709..32b597820c4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80431-0 - cce@rhel8: CCE-80762-8 -+ cce@rhel9: CCE-83725-2 - cce@rhcos4: CCE-82658-6 - cce@sle12: CCE-83122-2 - cce@sle15: CCE-85579-1 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -index 3e369f14489..290913884b6 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27290-6 - cce@rhel8: CCE-80745-3 -+ cce@rhel9: CCE-83840-9 - cce@rhcos4: CCE-82614-9 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -index f8ef91a5182..e2bd099a151 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27219-5 - cce@rhel8: CCE-80746-1 -+ cce@rhel9: CCE-83837-5 - cce@rhcos4: CCE-82615-6 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -index f457fba8061..8a0488d8e3d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27216-1 - cce@rhel8: CCE-80747-9 -+ cce@rhel9: CCE-83836-7 - cce@rhcos4: CCE-82616-4 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -index b8b6fbe6db2..65de17e8dee 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -@@ -37,6 +37,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27299-7 - cce@rhel8: CCE-80748-7 -+ cce@rhel9: CCE-83835-9 - cce@rhcos4: CCE-82617-2 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -index 37d51535902..063725a1aee 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27310-2 - cce@rhel8: CCE-80749-5 -+ cce@rhel9: CCE-83839-1 - cce@rhcos4: CCE-82618-0 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml -index 2c869dfb128..c13c8fb13c2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhcos4: CCE-82692-5 - cce@rhel8: CCE-84048-8 -+ cce@rhel9: CCE-83734-4 - - references: - nist: CM-6(a),AC-6(1),AU-9 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -index e495992ecb6..3d2ae4eb21c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80125-8 - cce@rhel8: CCE-80808-9 -+ cce@rhel9: CCE-83726-0 - cce@rhcos4: CCE-82691-7 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -index f9ce395716c..d1f109a7312 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27205-4 - cce@rhel8: CCE-80819-6 -+ cce@rhel9: CCE-83720-3 - cce@rhcos4: CCE-82690-9 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -index c42c90a8254..ed31e661e58 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27341-7 - cce@rhel8: CCE-80677-8 -+ cce@rhel9: CCE-83695-7 - - references: - cjis: 5.4.1.1 -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml -index f1102676c58..57e98a96963 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml -@@ -25,6 +25,7 @@ identifiers: - cce@rhel7: CCE-80646-3 - cce@rhcos4: CCE-82679-2 - cce@rhel8: CCE-84046-2 -+ cce@rhel9: CCE-83690-8 - - references: - nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml -index fd3aff398c6..77a56c9928d 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml -@@ -29,6 +29,7 @@ identifiers: - cce@sle12: CCE-83032-3 - cce@sle15: CCE-85606-2 - cce@rhel8: CCE-84045-4 -+ cce@rhel9: CCE-83684-1 - - references: - nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -index 114363370cd..f7e1eed913a 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27394-6 - cce@rhel8: CCE-80678-6 -+ cce@rhel9: CCE-83698-1 - cce@rhcos4: CCE-82675-0 - cce@sle12: CCE-83030-7 - cce@sle15: CCE-85604-7 -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -index c6ce1adb653..98822fb7a92 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27370-6 - cce@rhel8: CCE-80679-4 -+ cce@rhel9: CCE-83700-5 - cce@rhcos4: CCE-82677-6 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -index 6d100796619..7087dd536e1 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27331-8 - cce@rhel8: CCE-80680-2 -+ cce@rhel9: CCE-83685-8 - cce@rhcos4: CCE-82508-3 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -index d825f887f04..18a83773926 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27319-3 - cce@rhel8: CCE-80681-0 -+ cce@rhel9: CCE-83683-3 - cce@rhcos4: CCE-82694-1 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -index ef32b8dda40..ac486f9fdee 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27231-0 - cce@rhel8: CCE-80682-8 -+ cce@rhel9: CCE-83701-3 - cce@rhcos4: CCE-82680-0 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -index dbaa3c76e18..8618a85c6d7 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27348-2 - cce@rhel8: CCE-80683-6 -+ cce@rhel9: CCE-83688-2 - cce@rhcos4: CCE-82693-3 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -index 0700e4881d2..6babd3b3a01 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -@@ -31,6 +31,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27375-5 - cce@rhel8: CCE-80684-4 -+ cce@rhel9: CCE-83703-9 - cce@rhcos4: CCE-82678-4 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml -index 3f6cc973db0..56f618c99ae 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82358-3 - cce@rhel8: CCE-82258-5 -+ cce@rhel9: CCE-83704-7 - cce@rhcos4: CCE-82512-5 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml -index ad5a39d3c90..5df38381c28 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82355-9 - cce@rhel8: CCE-82233-8 -+ cce@rhel9: CCE-83682-5 - cce@rhcos4: CCE-82509-1 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml -index 407e33433cd..1f3280507e3 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82357-5 - cce@rhel8: CCE-82201-5 -+ cce@rhel9: CCE-83696-5 - cce@rhcos4: CCE-82511-7 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml -index a778d5faf28..3557e8b79f8 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82359-1 - cce@rhel8: CCE-82897-0 -+ cce@rhel9: CCE-83686-6 - cce@rhcos4: CCE-82513-3 - - references: -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml -index 0becb1671ce..24207420764 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82356-7 - cce@rhel8: CCE-82366-6 -+ cce@rhel9: CCE-83705-4 - cce@rhcos4: CCE-82510-9 - - references: -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -index 9f8823ad464..6408818fb8a 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27212-0 - cce@rhel8: CCE-80825-3 -+ cce@rhel9: CCE-83651-0 - - references: - cis@rhel7: 4.1.3 -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -index aab1e2f8cff..3a93dc412b4 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82156-1 - cce@rhel8: CCE-80943-4 -+ cce@rhel9: CCE-83652-8 - - references: - srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132 -diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -index 6d96d340a33..85ba222d616 100644 ---- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82954-9 - cce@rhel8: CCE-82953-1 -+ cce@rhel9: CCE-83648-6 - - references: - srg: SRG-OS-000342-GPOS-00133 -diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml -index ac1da528ee6..3cbc735f963 100644 ---- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml -+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml -@@ -11,6 +11,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81042-4 - cce@rhel8: CCE-81043-2 -+ cce@rhel9: CCE-83649-4 - cce@rhcos4: CCE-82669-3 - cce@sle12: CCE-83023-2 - cce@sle15: CCE-85612-0 -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -index a0d856b023b..1d415ae973b 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -@@ -31,6 +31,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82833-5 -+ cce@rhel9: CCE-83672-6 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -index 6f79a5cf04a..dc2ff4236fa 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -@@ -36,6 +36,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82834-3 -+ cce@rhel9: CCE-83653-6 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -index bd5d6455351..84f064eb799 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -@@ -44,6 +44,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82827-7 -+ cce@rhel9: CCE-83670-0 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -index b2f731d11ba..6af306aa0aa 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -@@ -44,6 +44,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82374-0 -+ cce@rhel9: CCE-83669-2 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -index a03a7f3b715..cfb737d4452 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -@@ -37,6 +37,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82829-3 -+ cce@rhel9: CCE-83668-4 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -index d4bd88e6cfc..4436051f808 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -@@ -36,6 +36,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82835-0 -+ cce@rhel9: CCE-83667-6 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -index 6c05a736e39..2bf582dd53f 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -@@ -35,6 +35,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82836-8 -+ cce@rhel9: CCE-83680-9 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -index 34e9fc134e0..18514ecff5a 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -@@ -32,6 +32,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82828-5 -+ cce@rhel9: CCE-83673-4 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -index 2d0f7cf9da3..81493843494 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -@@ -44,6 +44,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82830-1 -+ cce@rhel9: CCE-83671-8 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -index 28045878a69..45fa2df7aa7 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -@@ -39,6 +39,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82832-7 -+ cce@rhel9: CCE-83681-7 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -index d764e384ea2..261cd4ef445 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -@@ -36,6 +36,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82838-4 -+ cce@rhel9: CCE-90814-5 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -index 0a41ece25fc..aef687ae110 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -@@ -116,6 +116,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82373-2 -+ cce@rhel9: CCE-83655-1 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -index a95c0146b11..47c31aeee19 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -@@ -37,6 +37,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82384-9 -+ cce@rhel9: CCE-83675-9 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -index 4133eb193f2..5a6792c5f1b 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -@@ -38,6 +38,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82385-6 -+ cce@rhel9: CCE-83658-5 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -index 47f248a2b36..f83c888b928 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -@@ -36,6 +36,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82837-6 -+ cce@rhel9: CCE-83676-7 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -index 5017b17849b..8bd5d90049a 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -@@ -35,6 +35,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82383-1 -+ cce@rhel9: CCE-83678-3 - - references: - ospp: FAU_GEN.1.1.c -diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -index 19421f40ade..112bda557df 100644 ---- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -@@ -26,6 +26,7 @@ requires: - identifiers: - cce@rhel7: CCE-27407-6 - cce@rhel8: CCE-80872-5 -+ cce@rhel9: CCE-90829-3 - cce@rhcos4: CCE-82463-1 - cce@sle12: CCE-83024-0 - cce@sle15: CCE-85581-7 -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -index c1f77e21c36..0a0d76aeb23 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -@@ -15,6 +15,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-82351-8 - cce@rhel8: CCE-83920-9 -+ cce@rhel9: CCE-83844-1 - - references: - anssi: BP28(R11) -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -index 03f56b8031d..308ae9cb735 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -@@ -25,6 +25,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83314-5 -+ cce@rhel9: CCE-83841-7 - - references: - ospp: FCS_RBG_EXT.1.1 -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -index f186b1ae6e7..7a8d228ddc3 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -@@ -21,6 +21,7 @@ severity: high - - identifiers: - cce@rhel8: CCE-82194-2 -+ cce@rhel9: CCE-83843-3 - - references: - srg: SRG-OS-000433-GPOS-00193,SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -index 0b5873c56a2..f82c1648315 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82159-5 - cce@rhel8: CCE-80946-7 -+ cce@rhel9: CCE-83842-5 - - references: - srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -index 38f33d1812a..28132401b0e 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82023-3 - cce@rhel8: CCE-80800-6 -+ cce@rhel9: CCE-83848-2 - - references: - cis@rhel7: 1.4.2 -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -index 80c53fdd4b0..70ebc483f25 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82026-6 - cce@rhel8: CCE-80805-5 -+ cce@rhel9: CCE-83845-8 - - references: - cis@rhel7: 1.4.2 -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -index 6564de998e2..d3ee73725d8 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82039-9 - cce@rhel8: CCE-80814-7 -+ cce@rhel9: CCE-83846-6 - - references: - cis@rhel7: 1.4.2 -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 795230dcbec..89b29fc27d4 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -43,6 +43,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27309-4 - cce@rhel8: CCE-80828-7 -+ cce@rhel9: CCE-83849-0 - cce@sle12: CCE-83044-8 - cce@sle15: CCE-83274-1 - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -index 987a42d31ec..d342163b6c0 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -@@ -22,6 +22,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83321-0 -+ cce@rhel9: CCE-84096-7 - - ocil_clause: 'auditing is not enabled at boot time' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -index cfb8c08f31d..c37fbcb9ba1 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -@@ -21,6 +21,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83341-8 -+ cce@rhel9: CCE-84099-1 - - ocil_clause: 'audit backlog limit is not configured' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -index b8b025f74f4..56b634d4b19 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83485-3 -+ cce@rhel9: CCE-84092-6 - - ocil_clause: 'a non BLS boot entry is configured' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -index c8133e19ab4..6c7e3396553 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -@@ -18,6 +18,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83486-1 -+ cce@rhel9: CCE-84098-3 - - ocil_clause: 'the bootmap is outdated' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -index c626f6188cd..0cd61ae2f53 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -@@ -22,6 +22,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83351-7 -+ cce@rhel9: CCE-84101-5 - - ocil_clause: 'page allocator poisoning is not enabled' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -index d266165cddc..df0f6c3ee98 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -@@ -22,6 +22,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83371-5 -+ cce@rhel9: CCE-84094-2 - - ocil_clause: 'SLUB/SLAB poisoning is not enabled' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -index 387f7f13850..52b192ffc52 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -@@ -19,6 +19,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83381-4 -+ cce@rhel9: CCE-84100-7 - - ocil_clause: 'vsyscalls are enabled' - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -index 7d78a6963c2..569c0371ec3 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80380-9 - cce@rhel8: CCE-80859-2 -+ cce@rhel9: CCE-83994-4 - - references: - stigid@ol7: OL07-00-021100 -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -index c2e28da36f8..b734c694779 100644 ---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80195-1 - cce@rhel8: CCE-80794-1 -+ cce@rhel9: CCE-83993-6 - cce@rhcos4: CCE-82689-1 - - references: -diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml -index afa2afd6671..62982ff8a94 100644 ---- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml -+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82859-0 -+ cce@rhel9: CCE-83987-8 - - references: - ospp: FTP_ITC_EXT.1.1 -diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -index e5c90880a27..8ded536b23e 100644 ---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80192-8 - cce@rhel8: CCE-84275-7 -+ cce@rhel9: CCE-83995-1 - - references: - stigid@ol7: OL07-00-031010 -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -index bf8e746aac9..1bb9f3625e7 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -@@ -38,6 +38,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27343-3 - cce@rhel8: CCE-80863-4 -+ cce@rhel9: CCE-83990-2 - cce@sle12: CCE-83180-0 - cce@sle15: CCE-85552-8 - -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml -index 2f908980994..6bfe1524ce5 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml -@@ -22,6 +22,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82457-3 -+ cce@rhel9: CCE-83991-0 - - references: - nist: AU-9(3),CM-6(a) -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml -index 801684102fe..2398c0317a7 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml -@@ -21,6 +21,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82458-1 -+ cce@rhel9: CCE-83992-8 - - references: - ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1 -diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -index 8b88773f0ff..7298262fe52 100644 ---- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80188-6 - cce@rhel8: CCE-80886-5 -+ cce@rhel9: CCE-83989-4 - - references: - anssi: BP28(R5),NT28(R46) -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -index fc79c5f06e8..b9ce05776a1 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82999-4 - cce@rhel8: CCE-82998-6 -+ cce@rhel9: CCE-84021-5 - cce@rhcos4: CCE-82521-6 - cce@sle15: CCE-85698-9 - -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index b4afabb15fd..7003d666198 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80998-8 - cce@rhel8: CCE-80877-4 -+ cce@rhel9: CCE-90833-5 - cce@rhcos4: CCE-82554-7 - cce@sle15: CCE-85751-6 - -diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -index 636e30e3e1f..51848fc19f4 100644 ---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27349-0 - cce@rhel8: CCE-80890-7 -+ cce@rhel9: CCE-84023-1 - - references: - stigid@ol7: OL07-00-040810 -diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -index 20e5f729460..e8e06e5b2b4 100644 ---- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80170-4 - cce@rhel8: CCE-80845-1 -+ cce@rhel9: CCE-84068-6 - cce@rhcos4: CCE-82525-7 - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -index 43fd69a2003..5d0fc56b27a 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80180-3 - cce@rhel8: CCE-81006-9 -+ cce@rhel9: CCE-84120-5 - cce@rhcos4: CCE-82467-2 - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml -index ba9182b87a0..979201fc23a 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84271-6 - cce@rhel8: CCE-84272-4 -+ cce@rhel9: CCE-84115-5 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml -index a7a0c007b0b..d430df13480 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84279-9 - cce@rhel8: CCE-84280-7 -+ cce@rhel9: CCE-84122-1 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml -index 909e8cfcfbd..8c009414d35 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84287-2 - cce@rhel8: CCE-84288-0 -+ cce@rhel9: CCE-84111-4 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -index 8d92c0fec29..66826772a68 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80182-9 - cce@rhel8: CCE-81009-3 -+ cce@rhel9: CCE-84125-4 - cce@rhcos4: CCE-82471-4 - cce@sle15: CCE-85708-6 - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -index bf9263a67a8..a77d1f4a21e 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80179-5 - cce@rhel8: CCE-81013-5 -+ cce@rhel9: CCE-84131-2 - cce@rhcos4: CCE-82480-5 - cce@sle12: CCE-83078-6 - cce@sle15: CCE-85649-2 -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml -index 7f4cf1b36cc..d0b011dd892 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84265-8 - cce@rhel8: CCE-84266-6 -+ cce@rhel9: CCE-84126-2 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -index 0f4330678ac..447e9533a56 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80356-9 - cce@rhel8: CCE-82863-2 -+ cce@rhel9: CCE-84114-8 - cce@sle15: CCE-85713-6 - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml -index 1478ffb0438..038d4b2efbf 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml -@@ -15,6 +15,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84258-3 - cce@rhel8: CCE-84259-1 -+ cce@rhel9: CCE-84112-2 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml -index 70081798a18..697718eef25 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84281-5 - cce@rhel8: CCE-84109-8 -+ cce@rhel9: CCE-84128-8 - - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -index 0bbf39499bf..3736a8c934d 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80181-1 - cce@rhel8: CCE-81007-7 -+ cce@rhel9: CCE-84124-7 - cce@rhcos4: CCE-82468-0 - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml -index ebd596f9688..2da8c426314 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84267-4 - cce@rhel8: CCE-84268-2 -+ cce@rhel9: CCE-84116-3 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml -index 18882c3a826..2865601da80 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84273-2 - cce@rhel8: CCE-84051-2 -+ cce@rhel9: CCE-84118-9 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml -index b0b27f379f5..6de9820b44a 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84289-8 - cce@rhel8: CCE-84291-4 -+ cce@rhel9: CCE-84121-3 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -index 49d92c2a763..8f55e1ecf4a 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80183-7 - cce@rhel8: CCE-81010-1 -+ cce@rhel9: CCE-84113-0 - cce@rhcos4: CCE-82477-1 - cce@sle15: CCE-85722-7 - cce@sle12: CCE-83223-8 -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -index 3f81bf20f53..a5c911aec64 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80355-1 - cce@rhel8: CCE-81015-0 -+ cce@rhel9: CCE-84130-4 - cce@rhcos4: CCE-82481-3 - cce@sle15: CCE-85653-4 - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml -index 37545b05822..95a023ef48e 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84263-3 - cce@rhel8: CCE-84264-1 -+ cce@rhel9: CCE-84133-8 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml -index 5c764c307c6..d7795727431 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml -@@ -15,6 +15,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84256-7 - cce@rhel8: CCE-84257-5 -+ cce@rhel9: CCE-84117-1 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml -index 36b3016ccf4..d4eeebf721e 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml -@@ -13,6 +13,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-84283-1 - cce@rhel8: CCE-83477-0 -+ cce@rhel9: CCE-84026-4 - - - references: -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -index 0de8259e975..d7aa582a33b 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82871-5 - cce@rhel8: CCE-82872-3 -+ cce@rhel9: CCE-84024-9 - - references: - cis@rhel7: 3.3.3 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -index e044f2f85b0..0f835e52c11 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80158-9 - cce@rhel8: CCE-80917-8 -+ cce@rhel9: CCE-84011-6 - cce@rhcos4: CCE-82469-8 - cce@sle12: CCE-83090-1 - cce@sle15: CCE-85651-8 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -index c973a5cd4f5..6e734167503 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27434-0 - cce@rhel8: CCE-81011-9 -+ cce@rhel9: CCE-84001-7 - cce@rhcos4: CCE-82478-9 - cce@sle12: CCE-83064-6 - cce@sle15: CCE-85648-4 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -index 43fefc50c5a..48d815feaa2 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -@@ -17,6 +17,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80160-5 - cce@rhel8: CCE-81018-4 -+ cce@rhel9: CCE-84000-9 - cce@rhcos4: CCE-82486-2 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 7f1dcbee78d..dabb3606d6d 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80167-0 - cce@rhel8: CCE-81021-8 -+ cce@rhel9: CCE-84008-2 - cce@rhcos4: CCE-82488-8 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -index 161b76aa880..cd1865f86fb 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80159-7 - cce@rhel8: CCE-81016-8 -+ cce@rhel9: CCE-84016-5 - cce@rhcos4: CCE-82482-1 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -index 8cb3b0a64c1..c1f6770933b 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80163-9 - cce@rhel8: CCE-80919-4 -+ cce@rhel9: CCE-84003-3 - cce@rhcos4: CCE-82470-6 - cce@sle12: CCE-83081-0 - cce@sle15: CCE-85652-6 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -index 6170a83afb1..783c42ee4c2 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80162-1 - cce@rhel8: CCE-80920-2 -+ cce@rhel9: CCE-84007-4 - cce@rhcos4: CCE-82479-7 - cce@sle12: CCE-83079-4 - cce@sle15: CCE-85650-0 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -index 5a7bb934bdf..7ed2e2f1423 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -@@ -17,6 +17,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80161-3 - cce@rhel8: CCE-81020-0 -+ cce@rhel9: CCE-84014-0 - cce@rhcos4: CCE-82487-0 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -index 8e0687c50a4..32498d5de5a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80168-8 - cce@rhel8: CCE-81022-6 -+ cce@rhel9: CCE-84009-0 - cce@rhcos4: CCE-82489-6 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -index 8b6378eaf6e..18da604b29d 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80164-7 - cce@rhel8: CCE-81017-6 -+ cce@rhel9: CCE-84019-9 - cce@rhcos4: CCE-82483-9 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -index 11eddda99ed..bd6ee152a31 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80165-4 - cce@rhel8: CCE-80922-8 -+ cce@rhel9: CCE-84004-1 - cce@rhcos4: CCE-82491-2 - cce@sle12: CCE-83080-2 - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -index ab3e5e8b6e7..70eeb8341b6 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -@@ -15,6 +15,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-80166-2 - cce@rhel8: CCE-81023-4 -+ cce@rhel9: CCE-84015-7 - cce@rhcos4: CCE-82490-4 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml -index c4f398fc3da..84bb91629f2 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-84276-5 - cce@rhel8: CCE-84277-3 -+ cce@rhel9: CCE-90834-3 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml -index f9ff179e2cc..b70279f6cbd 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-84269-0 - cce@rhel8: CCE-84270-8 -+ cce@rhel9: CCE-84012-4 - - references: - anssi: BP28(R22) -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -index 2643f7b34af..4f9ded02621 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27495-1 - cce@rhel8: CCE-80923-6 -+ cce@rhel9: CCE-84006-6 - cce@rhcos4: CCE-82492-0 - cce@sle12: CCE-83179-2 - cce@sle15: CCE-83283-2 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -index 5bb3a291d88..4a941677e84 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80156-3 - cce@rhel8: CCE-80918-6 -+ cce@rhel9: CCE-83997-7 - cce@rhcos4: CCE-82484-7 - cce@sle12: CCE-83089-3 - cce@sle15: CCE-85655-9 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -index c2fca54905b..40dd979e981 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80999-6 - cce@rhel8: CCE-80921-0 -+ cce@rhel9: CCE-83999-3 - cce@rhcos4: CCE-82485-4 - cce@sle12: CCE-83086-9 - cce@sle15: CCE-85654-2 -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 4b70eed91d5..0885d759506 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80157-1 - cce@rhel8: CCE-81024-2 -+ cce@rhel9: CCE-83998-5 - cce@sle12: CCE-83088-5 - cce@sle15: CCE-85709-4 - -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml -index b35b94c0649..cf538b45c8a 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82162-9 - cce@rhel8: CCE-82028-2 -+ cce@rhel9: CCE-84137-9 - cce@rhcos4: CCE-82518-2 - - references: -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml -index 97c10b91f40..5401bf0a552 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82164-5 - cce@rhel8: CCE-82059-7 -+ cce@rhel9: CCE-84134-6 - cce@rhcos4: CCE-82519-0 - - references: -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -index 110a84efcae..f0842cded24 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82024-1 - cce@rhel8: CCE-80833-7 -+ cce@rhel9: CCE-84136-1 - - references: - stigid@ol7: OL07-00-020101 -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml -index 43ba8378d43..845d4d8f67a 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82160-3 - cce@rhel8: CCE-82005-0 -+ cce@rhel9: CCE-84060-3 - cce@rhcos4: CCE-82517-4 - - references: -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -index 85a8a7e02e0..beb0c7ffcc4 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -@@ -17,6 +17,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82869-9 - cce@rhel8: CCE-82870-7 -+ cce@rhel9: CCE-84064-5 - - references: - cis@rhel7: 3.5.3 -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -index aa074954939..53393d561a4 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82044-9 - cce@rhel8: CCE-80834-5 -+ cce@rhel9: CCE-84139-5 - cce@rhcos4: CCE-82516-6 - - references: -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -index 1b44eeaa816..6f212aae42d 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83395-4 - cce@rhel8: CCE-82297-3 -+ cce@rhel9: CCE-84065-2 - cce@rhcos4: CCE-82520-8 - - references: -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml -index 55fa265f7b3..bd79f613f9e 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27327-6 - cce@rhel8: CCE-80832-9 -+ cce@rhel9: CCE-84067-8 - cce@rhcos4: CCE-82515-8 - - references: -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index aaa17c752cf..6826f72b38d 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -36,6 +36,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27358-1 - cce@rhel8: CCE-83501-7 -+ cce@rhel9: CCE-84066-0 - cce@rhcos4: CCE-82660-2 - cce@sle12: CCE-83148-7 - cce@sle15: CCE-83286-5 -diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -index 9b1e0b4f69d..3048f0bc8d7 100644 ---- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -+++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -@@ -29,6 +29,7 @@ platform: machine # The oscap interface probe doesn't support offline mode - identifiers: - cce@rhel7: CCE-80174-6 - cce@rhel8: CCE-82283-3 -+ cce@rhel9: CCE-83996-9 - cce@sle12: CCE-83147-9 - cce@sle15: CCE-85656-7 - -diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -index 0a4232cae38..8fccb555dc3 100644 ---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83374-9 - cce@rhel8: CCE-83375-6 -+ cce@rhel9: CCE-83903-5 - - references: - anssi: BP28(R40) -diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml -index 4a72ddda83e..2babda397c8 100644 ---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml -+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml -@@ -33,6 +33,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80130-8 - cce@rhel8: CCE-80783-4 -+ cce@rhel9: CCE-83895-3 - cce@rhcos4: CCE-82753-5 - cce@sle12: CCE-83047-1 - cce@sle15: CCE-83282-4 -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index 12b1ed7483c..aa821dccf22 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80132-4 - cce@rhel8: CCE-80816-2 -+ cce@rhel9: CCE-83901-9 - - references: - anssi: BP28(R37),BP28(R38) -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 079679d5b17..5eccb8ec703 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80133-2 - cce@rhel8: CCE-80817-0 -+ cce@rhel9: CCE-83897-9 - - references: - anssi: BP28(R37),BP28(R38) -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -index 37614b561ec..cdab3363005 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80131-6 - cce@rhel8: CCE-80818-8 -+ cce@rhel9: CCE-83902-7 - - references: - cis@rhel7: 6.1.10 -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index 9af992d2e71..6ffe95805c8 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80135-7 - cce@rhel8: CCE-83497-8 -+ cce@rhel9: CCE-83906-8 - cce@sle12: CCE-83073-7 - cce@sle15: CCE-85658-3 - -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index 1169d757fd0..087e23ac547 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80134-0 - cce@rhel8: CCE-83499-4 -+ cce@rhel9: CCE-83896-1 - cce@sle12: CCE-83072-9 - cce@sle15: CCE-85657-5 - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -index 8752366d140..a5140984c51 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83474-7 - cce@rhel8: CCE-83475-4 -+ cce@rhel9: CCE-83928-2 - - references: - cis@rhel7: 6.1.8 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -index 4b0f213e2d2..c66413c54a9 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83534-8 - cce@rhel8: CCE-83535-5 -+ cce@rhel9: CCE-83951-4 - - references: - cis@rhel7: 6.1.9 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -index 67a8a2b2f7b..9bdf77e0f43 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83323-6 - cce@rhel8: CCE-83324-4 -+ cce@rhel9: CCE-83933-2 - - references: - cis@rhel7: 6.1.6 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -index 6f5e7c6db4a..4a33f96814c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83414-3 - cce@rhel8: CCE-83415-0 -+ cce@rhel9: CCE-83938-1 - - references: - cis@rhel7: 6.1.7 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -index a30e43191dc..0d93a0096dd 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82037-3 - cce@rhel8: CCE-80796-6 -+ cce@rhel9: CCE-83945-6 - - references: - cis@rhel7: 6.1.4 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -index 081652006fd..162f01db012 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82025-8 - cce@rhel8: CCE-80797-4 -+ cce@rhel9: CCE-83948-0 - - references: - cis@rhel7: 6.1.5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -index ffe20494729..9a4c5d30561 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-26639-5 - cce@rhel8: CCE-80798-2 -+ cce@rhel9: CCE-83950-6 - - references: - cis@rhel7: 6.1.2 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -index a68a86445ba..4f185f7f2a4 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82051-4 - cce@rhel8: CCE-80799-0 -+ cce@rhel9: CCE-83930-8 - - references: - cis@rhel7: 6.1.3 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -index 34cc7261d2b..3a301d0304b 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83472-1 - cce@rhel8: CCE-83473-9 -+ cce@rhel9: CCE-83944-9 - - references: - cis@rhel7: 6.1.8 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -index c7434655b50..55a07f601da 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83532-2 - cce@rhel8: CCE-83533-0 -+ cce@rhel9: CCE-83929-0 - - references: - cis@rhel7: 6.1.9 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -index e4e7e7b493e..79e4ab1fe62 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83325-1 - cce@rhel8: CCE-83326-9 -+ cce@rhel9: CCE-83947-2 - - references: - cis@rhel7: 6.1.6 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -index 11b341fcbb4..389f830f055 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83412-7 - cce@rhel8: CCE-83413-5 -+ cce@rhel9: CCE-83949-8 - - references: - cis@rhel7: 6.1.7 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -index cded33d30ce..d19e55104e0 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82031-6 - cce@rhel8: CCE-80801-4 -+ cce@rhel9: CCE-83925-8 - - references: - cis@rhel7: 6.1.4 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -index 52fa58671f4..2419015f113 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82195-9 - cce@rhel8: CCE-80802-2 -+ cce@rhel9: CCE-83924-1 - - references: - cis@rhel7: 6.1.5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -index dd04e90f501..e71300f22d1 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -@@ -13,6 +13,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82052-2 - cce@rhel8: CCE-80803-0 -+ cce@rhel9: CCE-83943-1 - - references: - cis@rhel7: 6.1.2 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -index fbdb621807b..6eb53bc53d4 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82022-5 - cce@rhel8: CCE-80804-8 -+ cce@rhel9: CCE-83926-6 - - references: - cis@rhel7: 6.1.3 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -index 5e69037060a..7e79f387e13 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83482-0 - cce@rhel8: CCE-83483-8 -+ cce@rhel9: CCE-83939-9 - - references: - cis@rhel7: 6.1.8 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -index 3d6857d811b..7c3994e5115 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83572-8 - cce@rhel8: CCE-83573-6 -+ cce@rhel9: CCE-83942-3 - - references: - cis@rhel7: 6.1.9 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -index 43f6675bf3f..1f87b073988 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83331-9 - cce@rhel8: CCE-83332-7 -+ cce@rhel9: CCE-83940-7 - - references: - cis@rhel7: 6.1.6 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -index 7c9b99651bc..d36289cda20 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83416-8 - cce@rhel8: CCE-83417-6 -+ cce@rhel9: CCE-83935-7 - - references: - cis@rhel7: 6.1.7 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -index ef8cf0cca28..1a7c3b8854c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82032-4 - cce@rhel8: CCE-80810-5 -+ cce@rhel9: CCE-83934-0 - - references: - cis@rhel7: 6.1.4 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -index 58c08ac643f..3b3fe738e04 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82192-6 - cce@rhel8: CCE-80811-3 -+ cce@rhel9: CCE-83921-7 - - references: - anssi: BP28(R36) -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -index 0a7f729c6cd..9faf0f5313a 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82029-0 - cce@rhel8: CCE-80812-1 -+ cce@rhel9: CCE-83931-6 - - references: - cis@rhel7: 6.1.2 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -index be331eca4a4..700f0a73a5d 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -@@ -25,6 +25,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82042-3 - cce@rhel8: CCE-80813-9 -+ cce@rhel9: CCE-83941-5 - - references: - anssi: BP28(R36) -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml -index 84b58bd8cf3..a9e9d909350 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml -@@ -13,6 +13,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83659-3 -+ cce@rhel9: CCE-83912-6 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml -index 40811212654..d73e8fe2470 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml -@@ -12,6 +12,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83660-1 -+ cce@rhel9: CCE-83916-7 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml -index b151758b1b0..a897085ca0a 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml -@@ -13,6 +13,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83661-9 -+ cce@rhel9: CCE-83914-2 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml -index 084e13a1de0..f7e16949999 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml -@@ -12,6 +12,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83662-7 -+ cce@rhel9: CCE-83915-9 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml -index db131144de9..12a62347de7 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml -@@ -14,6 +14,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83663-5 -+ cce@rhel9: CCE-83917-5 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml -index 0a8d5d1dde0..19ab1f8ff76 100644 ---- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml -@@ -13,6 +13,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-83665-0 -+ cce@rhel9: CCE-83913-4 - - references: - srg: SRG-OS-000206-GPOS-00084 -diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml -index 20bd962b3aa..f02d6f4ed7b 100644 ---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82048-0 - cce@rhel8: CCE-80806-3 -+ cce@rhel9: CCE-83908-4 - cce@sle15: CCE-85730-0 - - references: -diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml -index ca6fd90c280..df6f29fc2ac 100644 ---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82021-7 - cce@rhel8: CCE-80807-1 -+ cce@rhel9: CCE-83907-6 - cce@sle15: CCE-85756-5 - - references: -diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml -index ad69c4f88ec..ea0117bba7e 100644 ---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82040-7 - cce@rhel8: CCE-80809-7 -+ cce@rhel9: CCE-83911-8 - cce@sle15: CCE-85729-2 - - references: -diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml -index 0dce477d5f3..6480caed07c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml -@@ -28,6 +28,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82033-2 - cce@rhel8: CCE-80815-4 -+ cce@rhel9: CCE-83909-2 - cce@sle15: CCE-85670-8 - - references: -diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml -index 867e0833c64..3a5f2c2a89b 100644 ---- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml -+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81026-7 - cce@rhel8: CCE-81027-5 -+ cce@rhel9: CCE-84110-6 - cce@rhcos4: CCE-82506-7 - - references: -diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml -index e12a68c95ba..53cb920e90d 100644 ---- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml -+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81029-1 - cce@rhel8: CCE-81030-9 -+ cce@rhel9: CCE-83900-1 - cce@rhcos4: CCE-82507-5 - - references: -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml -index 10116e8a543..89603b2e9a7 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml -@@ -24,6 +24,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-80137-3 - cce@rhel8: CCE-81031-7 -+ cce@rhel9: CCE-83853-2 - cce@rhcos4: CCE-82514-1 - - references: -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -index 6b31c36af5e..ef606bfadd8 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -@@ -24,6 +24,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-80142-3 - cce@rhel8: CCE-83498-6 -+ cce@rhel9: CCE-83855-7 - cce@rhcos4: CCE-82717-0 - - references: -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml -index 11c9f7533a2..51f377830ef 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml -@@ -25,6 +25,7 @@ platform: machine - identifiers: - cce@rhel7: CCE-80143-1 - cce@rhel8: CCE-82729-5 -+ cce@rhel9: CCE-83852-4 - cce@rhcos4: CCE-82718-8 - - references: -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -index 3e3f97d6621..11f1a43f292 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27277-3 - cce@rhel8: CCE-80835-2 -+ cce@rhel9: CCE-83851-6 - cce@rhcos4: CCE-82719-6 - cce@sle12: CCE-83069-5 - cce@sle15: CCE-83294-9 -diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -index bd08b4b93b1..5553f49c884 100644 ---- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -@@ -27,6 +27,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27498-5 - cce@rhel8: CCE-80873-3 -+ cce@rhel9: CCE-83850-8 - cce@rhcos4: CCE-82663-6 - cce@sle12: CCE-83070-3 - cce@sle15: CCE-83278-2 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml -index e59ede9c721..ceef17d9ee8 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82135-5 - cce@rhel8: CCE-82941-6 -+ cce@rhel9: CCE-83884-7 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml -index b0e499d4f3a..e6f8d284138 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83315-2 - cce@rhel8: CCE-83316-0 -+ cce@rhel9: CCE-83892-0 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml -index 54902dbdac5..85de23060a0 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82138-9 - cce@rhel8: CCE-81033-3 -+ cce@rhel9: CCE-83877-1 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml -index 3173c5b3db7..d38bfa5c41c 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80152-2 - cce@rhel8: CCE-80837-8 -+ cce@rhel9: CCE-83881-3 - cce@rhcos4: CCE-82867-3 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml -index 845de5fb01d..7d4e76eaca0 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml -@@ -22,6 +22,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80153-0 - cce@rhel8: CCE-80838-6 -+ cce@rhel9: CCE-83857-3 - cce@rhcos4: CCE-82868-1 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml -index 22b2a497522..82ab2971fc3 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80154-8 - cce@rhel8: CCE-80839-4 -+ cce@rhel9: CCE-83891-2 - cce@rhcos4: CCE-82741-0 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml -index bd4b69f8ec2..84e19796371 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml -@@ -23,6 +23,7 @@ severity: unknown - identifiers: - cce@rhel7: CCE-81047-3 - cce@rhel8: CCE-81048-1 -+ cce@rhel9: CCE-83871-4 - cce@rhcos4: CCE-82740-2 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml -index c07bd670135..04f12549f1c 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83327-7 - cce@rhel8: CCE-83328-5 -+ cce@rhel9: CCE-83875-5 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml -index e6fd9ed7240..de14fa41aa8 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81153-9 - cce@rhel8: CCE-81050-7 -+ cce@rhel9: CCE-83894-6 - cce@sle12: CCE-83100-8 - cce@sle15: CCE-85633-6 - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml -index 5f658b2a592..1725c8daf4c 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80145-6 - cce@rhel8: CCE-82069-6 -+ cce@rhel9: CCE-83873-0 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -index 34fadec6e9b..4d830212c30 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -@@ -23,6 +23,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80146-4 - cce@rhel8: CCE-82742-8 -+ cce@rhel9: CCE-83856-5 - cce@rhcos4: CCE-82865-7 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -index ab8cec9f91d..4e36f9ef1f5 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80147-2 - cce@rhel8: CCE-82746-9 -+ cce@rhel9: CCE-83883-9 - cce@rhcos4: CCE-82747-7 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -index 054fd19e13e..c0c2c12c634 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80148-0 - cce@rhel8: CCE-82744-4 -+ cce@rhel9: CCE-83874-8 - cce@rhcos4: CCE-82745-1 - cce@sle12: CCE-83101-6 - cce@sle15: CCE-85634-4 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml -index a68d065c2f9..b67d96ba8da 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83317-8 - cce@rhel8: CCE-83319-4 -+ cce@rhel9: CCE-83880-5 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml -index 469f15db079..022dee6db9a 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83320-2 - cce@rhel8: CCE-83322-8 -+ cce@rhel9: CCE-83862-3 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -index 938f7a58215..6cf42d368a7 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80149-8 - cce@rhel8: CCE-82623-0 -+ cce@rhel9: CCE-83869-8 - - references: - cis@rhel7: 1.1.4 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -index 1344518bc2f..055adca538a 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80150-6 - cce@rhel8: CCE-82139-7 -+ cce@rhel9: CCE-83885-4 - - references: - cis@rhel7: 1.1.3 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -index 827eeb0381b..16e919a0586 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80151-4 - cce@rhel8: CCE-82140-5 -+ cce@rhel9: CCE-83872-2 - - references: - cis@rhel7: 1.1.5 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml -index 252de20f49e..de0ed866913 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82079-5 - cce@rhel8: CCE-82080-3 -+ cce@rhel9: CCE-83882-1 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml -index 06b1ee7eddc..8f862132b56 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82146-2 - cce@rhel8: CCE-82975-4 -+ cce@rhel9: CCE-83878-9 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml -index 1443e2a64f4..a991a15ae5e 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82148-8 - cce@rhel8: CCE-82921-8 -+ cce@rhel9: CCE-83893-8 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -index 97670681e06..920351725ad 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82076-1 - cce@rhel8: CCE-82077-9 -+ cce@rhel9: CCE-83886-2 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml -index 6548012de35..2be49486a16 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82142-1 - cce@rhel8: CCE-82008-4 -+ cce@rhel9: CCE-83887-0 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml -index 34fe89affd0..4c4c2711f37 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82144-7 - cce@rhel8: CCE-82065-4 -+ cce@rhel9: CCE-83870-6 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml -index 92a8dd83813..8a8413b49e6 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82064-7 - cce@rhel8: CCE-82062-1 -+ cce@rhel9: CCE-83868-0 - - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml -index 1cb6cbab055..7119419eb6b 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83329-3 - cce@rhel8: CCE-83330-1 -+ cce@rhel9: CCE-83865-6 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml -index f15cc75ae19..ca3e15f3878 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml -@@ -16,6 +16,7 @@ rationale: |- - identifiers: - cce@rhel7: CCE-83378-0 - cce@rhel8: CCE-83383-0 -+ cce@rhel9: CCE-83867-2 - - references: - anssi: BP28(R12) -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -index 03443bd43fd..c78149e13aa 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81052-3 - cce@rhel8: CCE-82068-8 -+ cce@rhel9: CCE-83864-9 - cce@rhcos4: CCE-82735-2 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -index 4adc6791d88..87a5f0e2f5d 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82150-4 - cce@rhel8: CCE-82151-2 -+ cce@rhel9: CCE-83866-4 - cce@rhcos4: CCE-82866-5 - - references: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -index a22d658a6b2..7df03f1bf13 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82153-8 - cce@rhel8: CCE-82154-6 -+ cce@rhel9: CCE-83863-1 - cce@rhcos4: CCE-82736-0 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -index dd32d225db8..3047f5790ab 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80169-6 - cce@rhel8: CCE-81038-2 -+ cce@rhel9: CCE-83980-3 - cce@rhcos4: CCE-82526-5 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -index baa8a448026..290d91abacf 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -@@ -20,6 +20,7 @@ platform: machine - - identifiers: - cce@rhel8: CCE-82881-4 -+ cce@rhel9: CCE-83974-6 - cce@rhcos4: CCE-82530-7 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml -index b9521a9a648..9734bd75112 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-26900-1 - cce@rhel8: CCE-80912-9 -+ cce@rhel9: CCE-83981-1 - - references: - cis@rhel7: 1.5.1 -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml -index 9e018613784..7ddbcbfc0a3 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml -@@ -27,6 +27,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode - identifiers: - cce@rhel7: CCE-27211-2 - cce@rhel8: CCE-80914-5 -+ cce@rhel9: CCE-83970-4 - - references: - cis@rhel7: 1.5.2 -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index c678f8f086c..9474fed6098 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80659-6 - cce@rhel8: CCE-80915-2 -+ cce@rhel9: CCE-83972-0 - cce@rhcos4: CCE-82498-7 - cce@sle12: CCE-83125-5 - cce@sle15: CCE-83299-8 -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -index aa46075cdce..c96a8018909 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27127-0 - cce@rhel8: CCE-80916-0 -+ cce@rhel9: CCE-83971-2 - cce@sle12: CCE-83146-1 - cce@sle15: CCE-83300-4 - -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -index 9b18bee588f..77e58a78250 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82158-7 - cce@rhel8: CCE-80944-2 -+ cce@rhel9: CCE-83985-2 - - references: - srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -index f6059044f14..36241872a02 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82157-9 - cce@rhel8: CCE-80945-9 -+ cce@rhel9: CCE-83986-0 - - references: - srg: SRG-OS-000433-GPOS-00192,SRG-OS-000134-GPOS-00068 -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -index fb3cd558c0b..dd1f67bad8c 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82215-5 -+ cce@rhel9: CCE-83961-3 - cce@rhcos4: CCE-82527-3 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -index c7ba7b2821b..e7eb3f5caf3 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27050-4 - cce@rhel8: CCE-80913-7 -+ cce@rhel9: CCE-83952-2 - cce@rhcos4: CCE-82499-5 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -index 97fab077088..6433967ce7f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81056-4 - cce@rhel8: CCE-80952-5 -+ cce@rhel9: CCE-83954-8 - cce@rhcos4: CCE-82500-0 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml -index 2bb534d8382..1722b9370da 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83392-1 - cce@rhel8: CCE-83397-0 -+ cce@rhel9: CCE-83967-0 - - references: - anssi: BP28(R24) -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml -index 147e1f0a96a..52456967c53 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83369-9 - cce@rhel8: CCE-83373-1 -+ cce@rhel9: CCE-83969-6 - - references: - anssi: BP28(R23) -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml -index 1cb4a86a14c..f78db1b0dbd 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83367-3 - cce@rhel8: CCE-83368-1 -+ cce@rhel9: CCE-83962-1 - - references: - anssi: BP28(R23) -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml -index 696994b0f27..c756902afd2 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81053-1 - cce@rhel8: CCE-81054-9 -+ cce@rhel9: CCE-83959-7 - cce@rhcos4: CCE-82502-6 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml -index 672df86e693..4299f35b9df 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83365-7 - cce@rhel8: CCE-83366-5 -+ cce@rhel9: CCE-83960-5 - - references: - anssi: BP28(R23) -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -index 88e9e4e6285..f17eeb7a8fe 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83353-3 - cce@rhel8: CCE-83355-8 -+ cce@rhel9: CCE-83968-8 - - references: - anssi: BP28(R23) -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml -index 31fde102de8..9a90716debc 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml -@@ -15,6 +15,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82203-1 - cce@rhel8: CCE-82974-7 -+ cce@rhel9: CCE-83957-1 - cce@rhcos4: CCE-82504-2 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -index 7cd437ec14a..b686a606f86 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-81058-0 - cce@rhel8: CCE-80953-3 -+ cce@rhel9: CCE-83965-4 - cce@rhcos4: CCE-82501-8 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml -index 9812e2beb16..f87be0ff5c6 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82934-1 -+ cce@rhel9: CCE-83966-2 - cce@rhcos4: CCE-82505-9 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml -index 223619814b5..145c652fa73 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml -@@ -23,6 +23,7 @@ severity: low - - identifiers: - cce@rhel8: CCE-82211-4 -+ cce@rhel9: CCE-83956-3 - cce@rhcos4: CCE-82503-4 - - references: -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml -index c5158c6cbb6..93a11ee5086 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83358-2 - cce@rhel8: CCE-83363-2 -+ cce@rhel9: CCE-83958-9 - - references: - anssi: BP28(R23) -diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml -index 87a081248be..4cda0a17a8d 100644 ---- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml -+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-26961-3 - cce@rhel8: CCE-80827-9 -+ cce@rhel9: CCE-84078-5 - cce@rhcos4: CCE-82666-9 - - references: -diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -index c8123f6a4f6..d38f1829771 100644 ---- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -@@ -18,6 +18,7 @@ severity: high - identifiers: - cce@rhel7: CCE-82876-4 - cce@rhel8: CCE-82877-2 -+ cce@rhel9: CCE-84069-4 - - references: - cis@rhel7: 1.6.1.1 -diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml -index becb0dab84a..81f72105a80 100644 ---- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml -+++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80445-0 - cce@rhel8: CCE-82756-8 -+ cce@rhel9: CCE-84072-8 - - references: - cis@rhel7: 1.6.1.8 -diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -index a18a57dcbb3..74c92194136 100644 ---- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82724-6 -+ cce@rhel9: CCE-84070-2 - - references: - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -index acce754e9d2..cf3e71a1fc0 100644 ---- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -@@ -26,6 +26,7 @@ severity: high - identifiers: - cce@rhel7: CCE-82977-0 - cce@rhel8: CCE-82976-2 -+ cce@rhel9: CCE-84071-0 - - references: - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml -index c7ec916622c..8992283aecc 100644 ---- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml -+++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml -@@ -20,6 +20,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80444-3 - cce@rhel8: CCE-82755-0 -+ cce@rhel9: CCE-84073-6 - - references: - anssi: BP28(R68) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml -index bc189ce4d43..f3be1c78a09 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80424-5 - cce@rhel8: CCE-84297-1 -+ cce@rhel9: CCE-84090-0 - - references: - cui: 80424-5 -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -index e8453fbfb8d..2a35a2db9eb 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82290-8 - cce@rhel8: CCE-83307-9 -+ cce@rhel9: CCE-84082-7 - - references: - anssi: BP28(R67) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -index e3591519dc7..53f154e7e84 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82305-4 - cce@rhel8: CCE-84230-2 -+ cce@rhel9: CCE-84083-5 - - references: - anssi: BP28(R39) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -index 6942f1e2114..428bb90bb94 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82308-8 - cce@rhel8: CCE-83310-3 -+ cce@rhel9: CCE-84087-6 - - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}} - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -index 7fedaab6130..6c6fbb73b26 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82312-0 - cce@rhel8: CCE-80949-1 -+ cce@rhel9: CCE-84084-3 - - references: - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -index b94d70c0989..f90ef1183de 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82313-8 - cce@rhel8: CCE-80950-9 -+ cce@rhel9: CCE-84086-8 - - references: - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -index 2e0b19f881d..21072e4401e 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82314-6 - cce@rhel8: CCE-80951-7 -+ cce@rhel9: CCE-84089-2 - - references: - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -index 98673f57c98..f4b47393a75 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82327-8 - cce@rhel8: CCE-83311-1 -+ cce@rhel9: CCE-84081-9 - - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} - -diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -index cc0319a4121..216518475e8 100644 ---- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27288-0 - cce@rhel8: CCE-80867-5 -+ cce@rhel9: CCE-84075-1 - cce@rhcos4: CCE-82688-3 - - references: -diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -index e4202dcd2c6..44e001c9049 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27279-9 - cce@rhel8: CCE-80868-3 -+ cce@rhel9: CCE-84074-4 - cce@rhcos4: CCE-82532-3 - - references: -diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml -index 1a8066e5f07..ca0a7a04bae 100644 ---- a/linux_os/guide/system/selinux/selinux_state/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27334-2 - cce@rhel8: CCE-80869-1 -+ cce@rhel9: CCE-84079-3 - cce@rhcos4: CCE-82531-5 - - references: -diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -index ef544f33d48..083d02a36e5 100644 ---- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -@@ -53,6 +53,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27128-8 - cce@rhel8: CCE-80789-1 -+ cce@rhel9: CCE-90849-1 - cce@sle12: CCE-83046-3 - cce@sle15: CCE-85719-3 - -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml -index c44f0c7ce98..35d766d9f9d 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80144-9 - cce@rhel8: CCE-81044-0 -+ cce@rhel9: CCE-83468-9 - cce@rhcos4: CCE-82739-4 - cce@sle12: CCE-83152-9 - cce@sle15: CCE-85639-3 -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml -index ff22050a248..bbfd28c10ce 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml -@@ -25,6 +25,7 @@ references: - identifiers: - cce@rhel7: CCE-83376-4 - cce@rhel8: CCE-83387-1 -+ cce@rhel9: CCE-90846-7 - - {{{ complete_ocil_entry_separate_partition(part="/srv") }}} - -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml -index 799dfb99dd7..3a3a28cec04 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml -@@ -17,6 +17,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82053-0 - cce@rhel8: CCE-80851-9 -+ cce@rhel9: CCE-90845-9 - - references: - stigid@ol7: OL07-00-021340 -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml -index 834dbbbf210..856a09540ba 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82014-2 - cce@rhel8: CCE-80852-7 -+ cce@rhel9: CCE-83466-3 - cce@sle12: CCE-83153-7 - cce@sle15: CCE-85640-1 - -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml -index 7f1a8c7ddb9..08ba9a843f0 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82034-0 - cce@rhel8: CCE-80853-5 -+ cce@rhel9: CCE-90848-3 - cce@rhcos4: CCE-82737-8 - - references: -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml -index e76d455bf3a..10113499614 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml -@@ -20,6 +20,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82035-7 - cce@rhel8: CCE-80854-3 -+ cce@rhel9: CCE-90847-5 - cce@rhcos4: CCE-82738-6 - cce@sle12: CCE-83154-5 - cce@sle15: CCE-85618-7 -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -index 535c0096b46..01c3f9b76ab 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -@@ -19,6 +19,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82353-4 - cce@rhel8: CCE-82730-3 -+ cce@rhel9: CCE-83487-9 - cce@rhcos4: CCE-82734-5 - - references: -diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -index 1222bbf54e5..f5ca4062d3d 100644 ---- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82348-4 - cce@rhel8: CCE-82367-4 -+ cce@rhel9: CCE-83549-6 - - references: - nist: CM-7(a),CM-7(b),CM-6(a) -diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -index 8a36d5691b7..0a6b95ea19e 100644 ---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -@@ -33,6 +33,7 @@ severity: high - identifiers: - cce@rhel7: CCE-82371-6 - cce@rhel8: CCE-80947-5 -+ cce@rhel9: CCE-83453-1 - cce@sle12: CCE-83001-8 - cce@sle15: CCE-83260-0 - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -index b232fdb7bbf..666ae4e2b2c 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -@@ -23,6 +23,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-80934-3 -+ cce@rhel9: CCE-83451-5 - cce@rhcos4: CCE-82544-8 - - references: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -index 726f555e385..f95c16b271b 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -@@ -55,6 +55,7 @@ severity: high - - identifiers: - cce@rhel8: CCE-80935-0 -+ cce@rhel9: CCE-83450-7 - cce@rhcos4: CCE-82541-4 - - references: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -index 5f19ce25f9f..64bb048f8e5 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -@@ -20,6 +20,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-80936-8 -+ cce@rhel9: CCE-83449-9 - cce@rhcos4: CCE-82547-1 - - references: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -index c156144f2c9..c1e7fb6f9e0 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -@@ -24,6 +24,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-80937-6 -+ cce@rhel9: CCE-83446-5 - cce@rhcos4: CCE-82546-3 - - references: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -index a7d6351eb4b..3953f7f2372 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -@@ -21,6 +21,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-80938-4 -+ cce@rhel9: CCE-83452-3 - cce@rhcos4: CCE-82545-5 - - references: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -index dfe105771cc..eba82b5fb78 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -@@ -19,6 +19,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-84255-9 -+ cce@rhel9: CCE-83448-1 - - references: - nist: AC-17(2) -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index 77030b4c6ed..ff24032229e 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -@@ -20,6 +20,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-80939-2 -+ cce@rhel9: CCE-83445-7 - - references: - nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 -diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -index 10974a995e1..68ce39792ba 100644 ---- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82723-8 -+ cce@rhel9: CCE-83442-4 - - references: - ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 -diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -index b373970d241..6d0c3b42890 100644 ---- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -@@ -24,6 +24,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode - identifiers: - cce@rhel7: CCE-80658-8 - cce@rhel8: CCE-84027-2 -+ cce@rhel9: CCE-83441-6 - - references: - disa: CCI-000068,CCI-000803,CCI-002450 -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -index d28e3222980..460641ed4e3 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -@@ -29,6 +29,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27220-3 - cce@rhel8: CCE-80675-2 -+ cce@rhel9: CCE-83438-2 - - references: - anssi: BP28(R51) -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index 7feef66f859..2d7a3ac28b2 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -@@ -34,6 +34,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-26952-2 - cce@rhel8: CCE-80676-0 -+ cce@rhel9: CCE-83437-4 - cce@sle15: CCE-85671-6 - - references: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -index a73fb0a39ad..51dae72ee6d 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -@@ -30,6 +30,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80374-2 - cce@rhel8: CCE-82891-3 -+ cce@rhel9: CCE-90844-2 - cce@sle12: CCE-83048-9 - - references: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -index f527068022a..3342599f5f6 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -@@ -25,6 +25,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80375-9 - cce@rhel8: CCE-84220-3 -+ cce@rhel9: CCE-90837-6 - cce@sle12: CCE-83150-3 - cce@sle15: CCE-85623-7 - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -index 7961f3b5a67..54351d15423 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -@@ -25,6 +25,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80376-7 - cce@rhel8: CCE-83733-6 -+ cce@rhel9: CCE-83439-0 - cce@sle12: CCE-83151-1 - cce@sle15: CCE-85624-5 - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -index 264dd298c11..681da5b976e 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -@@ -14,6 +14,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-27096-7 - cce@rhel8: CCE-80844-4 -+ cce@rhel9: CCE-90843-4 - cce@sle12: CCE-83067-9 - cce@sle15: CCE-83289-9 - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -index 873110cc9c3..3d0f77d825b 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -@@ -36,6 +36,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27157-7 - cce@rhel8: CCE-80857-6 -+ cce@rhel9: CCE-90841-8 - - references: - stigid@ol7: OL07-00-010020 -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -index 97c0957fd68..f085d9a79f9 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -@@ -27,6 +27,7 @@ severity: high - identifiers: - cce@rhel7: CCE-80545-7 - cce@rhel8: CCE-82196-7 -+ cce@rhel9: CCE-90842-6 - cce@rhcos4: CCE-82686-7 - - references: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index 8875abd83fe..915cf839a68 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -32,6 +32,7 @@ severity: high - identifiers: - cce@rhel7: CCE-27209-6 - cce@rhel8: CCE-80858-4 -+ cce@rhel9: CCE-90840-0 - cce@rhcos4: CCE-82687-5 - - references: -diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml -index af33fe43359..f2ae5406c24 100644 ---- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml -+++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83691-6 - cce@rhel8: CCE-83694-0 -+ cce@rhel9: CCE-90839-2 - - references: - anssi: BP28(R10) -diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml -index 2392bdc2c44..1fb36944e43 100644 ---- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml -+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82213-0 - cce@rhel8: CCE-82214-8 -+ cce@rhel9: CCE-83523-1 - cce@rhcos4: CCE-82523-2 - - references: -diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml -index fb6e9833b31..cc7fbbc0959 100644 ---- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml -@@ -18,6 +18,7 @@ severity: high - identifiers: - cce@rhel7: CCE-83740-1 - cce@rhel8: CCE-83747-6 -+ cce@rhel9: CCE-83537-1 - - references: - anssi: BP28(R58) -diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml -index 00e56a1427d..e7c96e8d5ac 100644 ---- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83787-2 - cce@rhel8: CCE-83790-6 -+ cce@rhel9: CCE-83539-7 - - references: - anssi: BP28(R58) -diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml -index 2164cefec8c..67f9fcb1a42 100644 ---- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-83797-1 - cce@rhel8: CCE-83798-9 -+ cce@rhel9: CCE-83538-9 - - references: - anssi: BP28(R58) -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -index 05a3127c6ae..90760109e3c 100644 ---- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -15,6 +15,7 @@ severity: low - identifiers: - cce@rhel7: CCE-83600-7 - cce@rhel8: CCE-83601-5 -+ cce@rhel9: CCE-83527-2 - - references: - cis@rhel7: 5.2.3 -diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml -index 3c96138cbc9..a9a594e87f8 100644 ---- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml -@@ -20,6 +20,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80350-2 - cce@rhel8: CCE-82202-3 -+ cce@rhel9: CCE-83544-7 - cce@sle12: CCE-83013-3 - cce@sle15: CCE-83291-5 - -diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml -index 172eedba548..a8658c9ed88 100644 ---- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml -@@ -21,6 +21,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-80351-0 - cce@rhel8: CCE-82197-5 -+ cce@rhel9: CCE-83536-3 - cce@sle12: CCE-83012-5 - cce@sle15: CCE-85663-3 - -diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -index 2138ea9ead0..cae15396bfe 100644 ---- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -@@ -22,6 +22,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82278-3 - cce@rhel8: CCE-82279-1 -+ cce@rhel9: CCE-83543-9 - cce@sle15: CCE-85673-2 - - references: -diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -index 930915327e0..a708f7a073b 100644 ---- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -@@ -23,6 +23,7 @@ identifiers: - cce@sle15: CCE-85712-8 - cce@rhel7: CCE-83423-4 - cce@rhel8: CCE-83425-9 -+ cce@rhel9: CCE-83525-6 - - - references: -diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -index 32bff061c95..a32e759eee4 100644 ---- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82349-2 - cce@rhel8: CCE-82365-8 -+ cce@rhel9: CCE-83528-0 - - ocil_clause: 'nopasswd is set for any users beyond vdsm' - -diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml -index a0590c8b0b7..8bd794aa2b2 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml -@@ -22,8 +22,9 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: CCE-83631-2 -- cce@rhel8: CCE-83632-0 -+ cce@rhel7: CCE-83631-2 -+ cce@rhel8: CCE-83632-0 -+ cce@rhel9: CCE-83545-4 - - references: - anssi: BP28(R63) -diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml -index 5421c589098..896c103747c 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml -@@ -21,8 +21,9 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: CCE-83517-3 -- cce@rhel8: CCE-83518-1 -+ cce@rhel7: CCE-83517-3 -+ cce@rhel8: CCE-83518-1 -+ cce@rhel9: CCE-83524-9 - - references: - anssi: BP28(R61) -diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml -index ef2dd6e27dc..bcc9ecd0ee3 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml -@@ -18,8 +18,9 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: CCE-83597-5 -- cce@rhel8: CCE-83598-3 -+ cce@rhel7: CCE-83597-5 -+ cce@rhel8: CCE-83598-3 -+ cce@rhel9: CCE-83531-4 - - references: - anssi: BP28(R60) -diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -index d17f33852db..f336906294a 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -@@ -22,6 +22,7 @@ rationale: |- - identifiers: - cce@rhel7: CCE-83421-8 - cce@rhel8: CCE-83422-6 -+ cce@rhel9: CCE-83529-8 - cce@sle15: CCE-85747-4 - - references: -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml -index 61ec3bb5041..acaf85219c8 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82920-0 - cce@rhel8: CCE-82919-2 -+ cce@rhel9: CCE-83507-4 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml -index 8b71752795a..15757ec7a6a 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82927-5 - cce@rhel8: CCE-82926-7 -+ cce@rhel9: CCE-83508-2 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml -index fe5b1710349..5440804c82b 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82924-2 - cce@rhel8: CCE-82923-4 -+ cce@rhel9: CCE-83510-8 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml -index 6cd038c7614..7723195d483 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82908-5 - cce@rhel8: CCE-82907-7 -+ cce@rhel9: CCE-83512-4 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml -index 6fea7c33159..74b217d9e4e 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82914-3 - cce@rhel8: CCE-82913-5 -+ cce@rhel9: CCE-83513-2 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml -index 9950ab14215..b058c92597b 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82917-6 - cce@rhel8: CCE-82916-8 -+ cce@rhel9: CCE-83514-0 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml -index f98b732a50a..43da8d34b26 100644 ---- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml -@@ -15,6 +15,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82911-9 - cce@rhel8: CCE-82910-1 -+ cce@rhel9: CCE-83515-7 - - references: - srg: SRG-OS-000095-GPOS-00049 -diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -index c53a12edfc7..1af48c1611b 100644 ---- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -@@ -18,6 +18,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82395-5 -+ cce@rhel9: CCE-83494-5 - - references: - ospp: FIA_X509_EXT -diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml -index aa1ae14ade9..3e46bd39a7e 100644 ---- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml -@@ -15,6 +15,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82944-0 - cce@rhel8: CCE-82943-2 -+ cce@rhel9: CCE-83516-5 - - references: - srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml -index 651bf3eb4c1..6a99a5b82e6 100644 ---- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml -@@ -16,6 +16,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82947-3 - cce@rhel8: CCE-82946-5 -+ cce@rhel9: CCE-83519-9 - - references: - srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -index b26dc2dbdf3..845167a237b 100644 ---- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82930-9 - cce@rhel8: CCE-82931-7 -+ cce@rhel9: CCE-83520-7 - - references: - srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061 -diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml -index 475980cd54e..c2c8a19aa64 100644 ---- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml -@@ -17,6 +17,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82219-7 - cce@rhel8: CCE-82220-5 -+ cce@rhel9: CCE-83502-5 - - references: - srg: SRG-OS-000480-GPOS-00227,SRG-OS-000191-GPOS-00080 -diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -index 1d0ed040448..2396f5bb118 100644 ---- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82882-2 - cce@rhel8: CCE-82883-0 -+ cce@rhel9: CCE-83503-3 - - ocil_clause: 'the package is not installed' - -diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -index f0ca76b6953..1acb18a6866 100644 ---- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82969-7 - cce@rhel8: CCE-82968-9 -+ cce@rhel9: CCE-83504-1 - - references: - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml -index 2c272a01e3b..a7f9dfd8d76 100644 ---- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml -@@ -23,6 +23,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82951-5 - cce@rhel8: CCE-82949-9 -+ cce@rhel9: CCE-83505-8 - - references: - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml -index 0742a1638fd..e79b482e89a 100644 ---- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml -@@ -19,6 +19,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82638-8 - cce@rhel8: CCE-82316-1 -+ cce@rhel9: CCE-83506-6 - - references: - srg: SRG-OS-000366-GPOS-00153 -diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml -index 66f864069e2..728a04f5ac8 100644 ---- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml -@@ -18,6 +18,7 @@ severity: low - identifiers: - cce@rhel7: CCE-82905-1 - cce@rhel8: CCE-82904-4 -+ cce@rhel9: CCE-83521-5 - - references: - srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -index d0289b311c6..43e3a975354 100644 ---- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -@@ -23,6 +23,7 @@ severity: low - identifiers: - cce@rhel7: CCE-80346-0 - cce@rhel8: CCE-82476-3 -+ cce@rhel9: CCE-83458-0 - cce@sle12: CCE-83186-7 - cce@sle15: CCE-85551-0 - -diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -index 7a10f5dd9ed..a8834659ed5 100644 ---- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -@@ -20,6 +20,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82494-6 -+ cce@rhel9: CCE-83456-4 - - references: - ospp: FMT_SMF_EXT.1 -diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml -index 10e9e0ac2e9..5a4ad9e674e 100644 ---- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml -+++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml -@@ -18,6 +18,7 @@ severity: low - - identifiers: - cce@rhel8: CCE-82267-6 -+ cce@rhel9: CCE-83461-4 - - references: - ospp: FMT_SMF_EXT.1 -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -index 8b2f877b60a..668d4b95f9e 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -@@ -33,6 +33,7 @@ severity: high - identifiers: - cce@rhel7: CCE-26989-4 - cce@rhel8: CCE-80790-9 -+ cce@rhel9: CCE-83457-2 - cce@sle12: CCE-83068-7 - cce@sle15: CCE-83290-7 - -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -index 67459838987..52c23b17f11 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -@@ -22,6 +22,7 @@ severity: high - identifiers: - cce@rhel7: CCE-80347-8 - cce@rhel8: CCE-80791-7 -+ cce@rhel9: CCE-83463-0 - - references: - stigid@ol7: OL07-00-020060 -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -index 6adc5810034..53f832bdce8 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: high - identifiers: - cce@rhel7: CCE-26876-3 - cce@rhel8: CCE-80792-5 -+ cce@rhel9: CCE-83464-8 - - references: - srg: SRG-OS-000366-GPOS-00153 -diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -index 0bdace740b4..490683fe252 100644 ---- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -@@ -16,6 +16,7 @@ severity: medium - identifiers: - cce@rhel7: CCE-82986-1 - cce@rhel8: CCE-82985-3 -+ cce@rhel9: CCE-83454-9 - - references: - srg: SRG-OS-000191-GPOS-00080 -diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -index 07aa5c3575b..7451f5637b5 100644 ---- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -@@ -15,6 +15,7 @@ severity: medium - - identifiers: - cce@rhel8: CCE-82360-9 -+ cce@rhel9: CCE-83459-8 - - references: - ospp: FMT_SMF_EXT.1 -From 4325e8a4ec9f02766ae873ad25f0bbcf926bd72b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 23 Jun 2021 17:20:40 +0200 -Subject: [PATCH 4/4] Resolved chrony vs ntp rules. - -Profiles should select only chrony rules, as ntp is not -supposed to be used in RHEL9. ---- - rhel9/profiles/ism_o.profile | 3 +-- - rhel9/profiles/pci-dss.profile | 6 +++--- - rhel9/profiles/stig.profile | 2 +- - 3 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile -index 3a884f8371d..2aa4af470e9 100644 ---- a/rhel9/profiles/ism_o.profile -+++ b/rhel9/profiles/ism_o.profile -@@ -90,9 +90,8 @@ selections: - - rsyslog_remote_tls_cacert - - package_chrony_installed - - service_chronyd_enabled --# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM -+ # - chronyd_specify_multiple_servers - - chronyd_specify_remote_server --# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM - - ## Events to be logged - ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957 -diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile -index 6b00be5f76a..2c027af5236 100644 ---- a/rhel9/profiles/pci-dss.profile -+++ b/rhel9/profiles/pci-dss.profile -@@ -79,9 +79,9 @@ selections: - - audit_rules_kernel_module_loading_init - - audit_rules_immutable - - var_multiple_time_servers=rhel --# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM --# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM --# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM -+ - service_chronyd_enabled -+ - chronyd_specify_remote_server -+ # - chronyd_specify_multiple_servers - - rpm_verify_permissions - - rpm_verify_hashes - # - install_hids # not supported in RHEL9 ATM -diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile -index 1baafe6f751..eef1f901ab5 100644 -e-- a/rhel9/profiles/stig.profile -+++ b/rhel9/profiles/stig.profile -@@ -820,7 +820,7 @@ selections: - - # RHEL-08-030740 - # remediation fails because default configuration file contains pool instead of server keyword --# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM -+ # - chronyd_set_maxpoll # Doesn't exist in RHEL9, but it should - - # RHEL-08-030741 - # - chronyd_client_only # not supported in RHEL9 ATM diff --git a/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch b/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch deleted file mode 100644 index 8d072ad..0000000 --- a/scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch +++ /dev/null @@ -1,1052 +0,0 @@ -From 041e6ff67258af02da7acc4d8c42d3309677ef50 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 14 May 2021 16:01:05 +0200 -Subject: [PATCH 1/5] Enabled integrity-related rules for RHEL9. - -As the product doesn't have fingerprints available, rules have been extended -to build, but to return NOTCHECKED if until the product yaml is updated. ---- - .../updating/ensure_redhat_gpgkey_installed/oval/shared.xml | 3 +++ - .../software/updating/ensure_redhat_gpgkey_installed/rule.yml | 3 ++- - .../software/updating/security_patches_up_to_date/rule.yml | 3 ++- - shared/references/cce-redhat-avail.txt | 2 -- - 4 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml -index 519589c40c3..dd514ad95fc 100644 ---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml -+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml -@@ -1,3 +1,5 @@ -+{{% if pkg_version %}} -+{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}} - - - {{{ oval_metadata("The Red Hat release and auxiliary key packages are required to be installed.") }}} -@@ -73,3 +75,4 @@ - {{%- endif %}} - - -+{{% endif %}} -diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -index 8a7a5e0b9ff..890574b6742 100644 ---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,rhcos4 -+prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4 - - title: 'Ensure Red Hat GPG Key Installed' - -@@ -35,6 +35,7 @@ severity: high - identifiers: - cce@rhel7: CCE-26957-1 - cce@rhel8: CCE-80795-8 -+ cce@rhel9: CCE-84180-9 - cce@rhcos4: CCE-82754-3 - - references: -diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -index f7b42999a23..00a6e56f47a 100644 ---- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu1604,ubuntu1804 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804 - - title: 'Ensure Software Patches Installed' - -@@ -38,6 +38,7 @@ severity: high - identifiers: - cce@rhel7: CCE-26895-3 - cce@rhel8: CCE-80865-9 -+ cce@rhel9: CCE-84185-8 - cce@sle12: CCE-83002-6 - cce@sle15: CCE-83261-8 - -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 4c4f8c3aa36..626849d3f2b 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -506,10 +506,8 @@ CCE-84176-7 - CCE-84177-5 - CCE-84178-3 - CCE-84179-1 --CCE-84180-9 - CCE-84181-7 - CCE-84183-3 --CCE-84185-8 - CCE-84186-6 - CCE-84187-4 - CCE-84188-2 - -From d25f7f0a0373492e1e65e959e3e4a7dee401bdd3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 14 May 2021 16:13:14 +0200 -Subject: [PATCH 2/5] Enable service disabled rules for RHEL9. - -Although some of those services are very unlikely to appear on a RHEL9 system, -there is little harm coming from making sure that they are not enabled. ---- - .../disable_avahi_group/service_avahi-daemon_disabled/rule.yml | 2 +- - linux_os/guide/services/base/service_abrtd_disabled/rule.yml | 2 +- - linux_os/guide/services/base/service_ntpdate_disabled/rule.yml | 2 +- - linux_os/guide/services/base/service_oddjobd_disabled/rule.yml | 2 +- - linux_os/guide/services/base/service_qpidd_disabled/rule.yml | 3 ++- - linux_os/guide/services/base/service_rdisc_disabled/rule.yml | 2 +- - linux_os/guide/services/base/service_rhnsd_disabled/rule.yml | 2 +- - .../guide/services/cron_and_at/service_atd_disabled/rule.yml | 2 +- - .../dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml | 2 +- - .../dns/disabling_dns_server/service_named_disabled/rule.yml | 2 +- - .../ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml | 2 +- - .../http/disabling_httpd/service_httpd_disabled/rule.yml | 2 +- - .../imap/disabling_dovecot/service_dovecot_disabled/rule.yml | 2 +- - .../disabling_nfs_services/service_rpcbind_disabled/rule.yml | 2 +- - .../disabling_nfsd/service_nfs_disabled/rule.yml | 2 +- - .../obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml | 3 ++- - .../guide/services/obsolete/service_rsyncd_disabled/rule.yml | 2 +- - .../services/obsolete/telnet/service_telnet_disabled/rule.yml | 2 +- - .../guide/services/printing/service_cups_disabled/rule.yml | 2 +- - .../proxy/disabling_squid/service_squid_disabled/rule.yml | 2 +- - .../routing/disabling_quagga/service_zebra_disabled/rule.yml | 3 ++- - .../services/smb/disabling_samba/service_smb_disabled/rule.yml | 2 +- - .../disabling_snmp_service/service_snmpd_disabled/rule.yml | 2 +- - .../permissions/mounting/service_autofs_disabled/rule.yml | 2 +- - 24 files changed, 27 insertions(+), 24 deletions(-) - -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index 2371c89fb6b..9254d328436 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Avahi Server Software' - -diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -index be6b76c46ad..cacd7eeb3a7 100644 ---- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable Automatic Bug Reporting Tool (abrtd)' - -diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -index 9ac97104351..8dfbcf5faab 100644 ---- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable ntpdate Service (ntpdate)' - -diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -index f4b72c18890..64aa1c45f9e 100644 ---- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable Odd Job Daemon (oddjobd)' - -diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -index 3fc7c806ff0..badee1af18e 100644 ---- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -@@ -1,6 +1,7 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable Apache Qpid (qpidd)' - -diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -index 924720cf9cb..772f8c37e68 100644 ---- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable Network Router Discovery Daemon (rdisc)' - -diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -index c7eae4fb2f9..ba3b04d8811 100644 ---- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8 -+prodtype: rhel7,rhel8,rhel9 - - title: 'Disable Red Hat Network Service (rhnsd)' - -diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -index 372329ad749..12bde00f86c 100644 ---- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable At Service (atd)' - -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index ab622910ad6..ef7cb53457e 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable DHCP Service' - -diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index 67ec760f7fe..ee4527a8953 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable named Service' - -diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -index e666b152eea..e6424e0162a 100644 ---- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable vsftpd Service' - -diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -index 54c5c7e338c..10808731308 100644 ---- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable httpd Service' - -diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -index 94441062700..54235dbfe6a 100644 ---- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable Dovecot Service' - -diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 5908d55e6cf..f7631918fe8 100644 ---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable rpcbind Service' - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index 2e18c0ba09a..5ecd328720e 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhel7,rhel8 -+prodtype: fedora,rhel7,rhel8,rhel9 - - title: 'Disable Network File System (nfs)' - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -index c35040318a3..2c6448da572 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -@@ -1,6 +1,7 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle15 -+# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Disable xinetd Service' - -diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index b26b56dec64..dc284c81998 100644 ---- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Ensure rsyncd service is diabled' - -diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -index 049f2a48d58..b6446c2a78b 100644 ---- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Disable telnet Service' - -diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -index 11f30b3f837..71ef701ec8f 100644 ---- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml -+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable the CUPS Service' - -diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -index c049dd1849f..1a538ab1e05 100644 ---- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Squid' - -diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -index b8aabc13a8c..8d173cf74f4 100644 ---- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -+++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -@@ -1,6 +1,7 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4 -+# package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Disable Quagga Service' - -diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -index 9360fc5de8b..1dba9883089 100644 ---- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,sle15 -+prodtype: rhel7,rhel8,rhel9,sle15 - - title: 'Disable Samba' - -diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -index 506ee9976f2..df46bd44b95 100644 ---- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: debian10,debian9,rhel7,rhel8,sle15 -+prodtype: debian10,debian9,rhel7,rhel8,rhel9,sle15 - - title: 'Disable snmpd Service' - -diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -index f760480a103..e18b2fe0a9f 100644 ---- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,ubuntu1804 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,wrlinux1019 - - title: 'Disable the Automounter' - - -From c8ac3c49dc377cd487ac15561938de9f1180c92a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 14 May 2021 16:16:43 +0200 -Subject: [PATCH 3/5] Enabled low-level rules for RHEL9. - -File owner-related settings are largery independent from changes in components. ---- - .../guide/services/cron_and_at/file_groupowner_cron_d/rule.yml | 2 +- - .../services/cron_and_at/file_groupowner_cron_daily/rule.yml | 2 +- - .../services/cron_and_at/file_groupowner_cron_hourly/rule.yml | 2 +- - .../services/cron_and_at/file_groupowner_cron_monthly/rule.yml | 2 +- - .../services/cron_and_at/file_groupowner_cron_weekly/rule.yml | 2 +- - .../guide/services/cron_and_at/file_groupowner_crontab/rule.yml | 2 +- - linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml | 2 +- - .../guide/services/cron_and_at/file_owner_cron_daily/rule.yml | 2 +- - .../guide/services/cron_and_at/file_owner_cron_hourly/rule.yml | 2 +- - .../guide/services/cron_and_at/file_owner_cron_monthly/rule.yml | 2 +- - .../guide/services/cron_and_at/file_owner_cron_weekly/rule.yml | 2 +- - linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml | 2 +- - .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 2 +- - linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 2 +- - .../file_groupownership_home_directories/rule.yml | 2 +- - .../non-uefi/file_groupowner_grub2_cfg/rule.yml | 2 +- - .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml | 2 +- - 17 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index 12b3e134b84..bcf17d8d1ba 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 81b4dafe7ac..3731bcff80a 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index d9d95c54f67..f6be1d8e385 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index bc34431e4a6..823bf13d3a8 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index 6098829df8b..edeef8ff378 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 93469e4e4f0..8c4027198e3 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns Crontab' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index 8835efc173e..29df5f3a977 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index 329b6c3948c..f7e7811c8b1 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index c28cac4d453..04041e13dfe 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index 20d3604fb0b..46757a03195 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index c34295639c3..48f897e4339 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index 41857468590..738d9820b7f 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15 -+prodtype: rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on crontab' - -diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -index 48c52f4f99d..08224309561 100644 ---- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15,rhcos4 -+prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Group Who Owns SSH Server config file' - -diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -index 8daa499c96f..f69a5a177c0 100644 ---- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,rhv4,sle15,rhcos4 -+prodtype: rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify Owner on SSH Server config file' - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 813c109c155..237e7e86c12 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -index f66589ce1c2..c0acf9f031e 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -index 40bc1115608..94e219fa1ca 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership' - - -From 3e3dedd681319fc9952af9e154fb561e882b896b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 14 May 2021 16:25:28 +0200 -Subject: [PATCH 4/5] Enable rules for RHEL9. - -There are indications that those packages/services will continue to be part of RHEL9. ---- - .../guide/services/cron_and_at/service_crond_enabled/rule.yml | 2 +- - .../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +- - .../software/system-tools/package_rear_installed/rule.yml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index de8c5504867..d2c99d0d3f9 100644 ---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Enable cron Service' - -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index 535c588bc14..248da74dc9c 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 - - title: 'Verify firewalld Enabled' - -diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -index 375301fdb6f..1d0ed040448 100644 ---- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Install rear Package' - - -From 8255e799fb395f544871439d5df731da8aed66b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 14 May 2021 16:46:57 +0200 -Subject: [PATCH 5/5] Enabled various rules for RHEL9 - -This heterogenous assortment of rules either configures low-level settings that are largely distribution-independent, -or it performs basic configuration of stable components. ---- - .../postfix_client/postfix_network_listening_disabled/rule.yml | 2 +- - linux_os/guide/services/mail/service_postfix_enabled/rule.yml | 2 +- - linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- - .../disabling_xwindows/xwindows_runlevel_target/rule.yml | 2 +- - .../system/accounts/accounts-banners/banner_etc_issue/rule.yml | 2 +- - .../system/accounts/accounts-banners/banner_etc_motd/rule.yml | 2 +- - .../set_password_hashing_algorithm_systemauth/rule.yml | 2 +- - .../accounts-physical/require_emergency_target_auth/rule.yml | 2 +- - .../accounts/accounts-physical/require_singleuser_auth/rule.yml | 2 +- - .../account_disable_post_pw_expiration/rule.yml | 2 +- - .../password_storage/no_legacy_plus_entries_etc_group/rule.yml | 2 +- - .../password_storage/no_legacy_plus_entries_etc_passwd/rule.yml | 2 +- - .../password_storage/no_legacy_plus_entries_etc_shadow/rule.yml | 2 +- - .../root_logins/no_shelllogin_for_systemaccounts/rule.yml | 2 +- - .../system/accounts/accounts-session/accounts_tmout/rule.yml | 2 +- - .../accounts_user_interactive_home_directory_exists/rule.yml | 2 +- - .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- - linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 +- - .../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +- - .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- - .../ruleset_modifications/set_firewalld_default_zone/rule.yml | 2 +- - .../wireless_software/wireless_disable_interfaces/rule.yml | 2 +- - linux_os/guide/system/network/network_sniffer_disabled/rule.yml | 2 +- - .../system/permissions/files/no_files_unowned_by_user/rule.yml | 2 +- - .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 +- - .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 2 +- - .../aide/aide_periodic_cron_checking/rule.yml | 2 +- - 27 files changed, 27 insertions(+), 27 deletions(-) - -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -index cea6ebe82bd..be9efe4b409 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Postfix Network Listening' - -diff --git a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml -index c807c0e375f..0906d5202dd 100644 ---- a/linux_os/guide/services/mail/service_postfix_enabled/rule.yml -+++ b/linux_os/guide/services/mail/service_postfix_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Enable Postfix Service' - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index ef9867812c1..5dd9fa6b190 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8,fedora,sle15 -+prodtype: fedora,rhel7,rhel8,rhel9,sle15 - - title: 'Ensure that chronyd is running under chrony user account' - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -index 6a7fcbf095c..e64ddd91807 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,sle12,sle15,rhv4 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Disable X Windows Startup By Setting Default Target' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -index 5a462ee0163..75453bc8beb 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Modify the System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index 2c735ad0d41..190e5a8599a 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 - - title: 'Modify the System Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index 947de262c31..b0ecbd2bf1e 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: "Set PAM's Password Hashing Algorithm" - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index 76cbe0b7e97..bc8c0a224b1 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Require Authentication for Emergency Systemd Target' - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 3f8b43cc17b..3dee04454c3 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 - - title: 'Require Authentication for Single User Mode' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -index 7d9b9bc99cc..0c538123879 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Set Account Expiration Following Inactivity' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -index ba40c093df4..f9799183e0c 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Ensure there are no legacy + NIS entries in /etc/group' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -index ef2266df268..1703c8b7ff4 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Ensure there are no legacy + NIS entries in /etc/passwd' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -index 687bbde8a1f..94ba6160154 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Ensure there are no legacy + NIS entries in /etc/shadow' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -index cc86a6e7b71..65e41ca5c18 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 - - title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index 2a4a2a2f717..5130296ad98 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,rhcos4 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Set Interactive Session Timeout' - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index 11ebca78867..ac541680fa7 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'All Interactive Users Home Directories Must Exist' - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index 5b0676910b3..d9afad723ef 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhcos4,ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 - - title: 'Ensure the Default Bash Umask is Set Correctly' - -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -index 35d93371321..9f8823ad464 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' - -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -index f087d384578..aab1e2f8cff 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Extend Audit Backlog Limit for the Audit Daemon' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 9f4fd1b1460..522da853ab5 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Set Boot Loader Password in grub2' - -diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -index 60520b21c1f..636e30e3e1f 100644 ---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15 - - title: 'Set Default firewalld Zone for Incoming Packets' - -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index 37483573a33..1a7b2c785ff 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,sle12 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Deactivate Wireless Network Interfaces' - -diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -index 69f20153097..9b1e0b4f69d 100644 ---- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -+++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Ensure System is Not Acting as a Network Sniffer' - -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index 81823ab138c..1169d757fd0 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Ensure All Files Are Owned by a User' - -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -index c140e11271f..dd32d225db8 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Core Dumps for All Users' - -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -index 52a1a9bf785..efb2e8fa203 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804 -+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu1804 - - title: 'Ensure /var/tmp Located On Separate Partition' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index c3f7dedb33f..998a9780b75 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,wrlinux1019 - - title: 'Configure Periodic Execution of AIDE' - diff --git a/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch b/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch deleted file mode 100644 index 392daec..0000000 --- a/scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch +++ /dev/null @@ -1,815 +0,0 @@ -From b1ee8de3856252e2052bee8f5dd2aaaee5dcc95b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 11:33:52 +0200 -Subject: [PATCH 1/8] Enable update-related rules for RHEL9. - ---- - .../software/updating/dnf-automatic_apply_updates/rule.yml | 2 +- - .../software/updating/package_dnf-automatic_installed/rule.yml | 2 +- - .../software/updating/timer_dnf-automatic_enabled/rule.yml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -index 8b0343a52ec..7a10f5dd9ed 100644 ---- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,rhel8 -+prodtype: fedora,ol8,rhel8,rhel9 - - title: Configure dnf-automatic to Install Available Updates Automatically - -diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -index 8b332b800c7..0bdace740b4 100644 ---- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,rhel8 -+prodtype: fedora,ol8,rhel8,rhel9 - - title: 'Install dnf-automatic Package' - -diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -index 1c51fe22471..07aa5c3575b 100644 ---- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,rhel8 -+prodtype: fedora,ol8,rhel8,rhel9 - - title: Enable dnf-automatic Timer - - -From 55bc57583158dc7c8080fdfd41b2c7ee4ddb677f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 11:45:02 +0200 -Subject: [PATCH 2/8] Enable AIDE rules for RHEL9. - -The component hasn't changed observably wrt our rules. ---- - .../certified-vendor/installed_OS_is_FIPS_certified/rule.yml | 2 +- - .../software-integrity/aide/aide_build_database/rule.yml | 2 +- - .../software-integrity/aide/aide_scan_notification/rule.yml | 2 +- - .../software-integrity/aide/aide_use_fips_hashes/rule.yml | 2 +- - .../integrity/software-integrity/aide/aide_verify_acls/rule.yml | 2 +- - .../software-integrity/aide/aide_verify_ext_attributes/rule.yml | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml -index 07d55e58e55..012fe8f6edd 100644 ---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml -+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019 -+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019 - - title: 'The Installed Operating System Is FIPS 140-2 Certified' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -index 175c997d508..6c0ee2e4c7b 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: debian9,debian10,fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 -+prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Build and Test AIDE Database' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -index 24d3f8e1c24..a73fb0a39ad 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,wrlinux1019 - - title: 'Configure Notification of Post-AIDE Scan Details' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml -index 1f86ed8a973..c982b8fde2e 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -index 144c0645503..f527068022a 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Configure AIDE to Verify Access Control Lists (ACLs)' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -index b5bcd202dea..7961f3b5a67 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Configure AIDE to Verify Extended Attributes' - - -From 5425108a0a88ba36b422ee2a1f672f301531c167 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 15:44:41 +0200 -Subject: [PATCH 3/8] Enabled package installed rules for RHEL9. - -Packages are likely to exist in RHEL9. ---- - .../disabling_xwindows/xwindows_remove_packages/rule.yml | 2 +- - .../smart_card_login/install_smartcard_packages/rule.yml | 2 +- - .../smart_card_login/package_opensc_installed/rule.yml | 2 +- - .../system/auditing/package_audispd-plugins_installed/rule.yml | 2 +- - .../package_policycoreutils-python-utils_installed/rule.yml | 2 +- - .../system/selinux/package_policycoreutils_installed/rule.yml | 2 +- - .../software/system-tools/package_rng-tools_installed/rule.yml | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -index 2f9dfc1b039..031d63ba778 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable graphical user interface' - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -index 85260712c6f..652e9287759 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -@@ -8,7 +8,7 @@ - - documentation_complete: true - --prodtype: fedora,ol7,rhel7,rhel8,sle12,sle15 -+prodtype: fedora,ol7,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Install Smart Card Packages For Multifactor Authentication' - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -index df01a282459..a55409d9e8f 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Install the opensc Package For Multifactor Authentication' - -diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -index 8ed5af7070a..6d96d340a33 100644 ---- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 - - title: 'Install audispd-plugins Package' - -diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -index 6c23fae18ab..a18a57dcbb3 100644 ---- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8 -+prodtype: ol8,rhel8,rhel9 - - title: 'Install policycoreutils-python-utils package' - -diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -index b9fcc6a889e..acce754e9d2 100644 ---- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Install policycoreutils Package' - -diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -index 7d25f41fb98..f0ca76b6953 100644 ---- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Install rng-tools Package' - - -From ef063898277b53e35db6f3b54604583c3512ff46 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 16:07:18 +0200 -Subject: [PATCH 4/8] Enabled service-related rules for RHEL9. - ---- - linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 +- - linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 2 +- - linux_os/guide/services/ssh/service_sshd_enabled/rule.yml | 2 +- - .../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -index 8a12fd05711..1bb014b5993 100644 ---- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Disable KDump Kernel Crash Analyzer (kdump)' - -diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -index 5d47b5d69b3..4f1e4d85197 100644 ---- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol8,rhel8 -+prodtype: fedora,ol8,rhcos4,rhel8,rhel9 - - title: 'Enable the Hardware RNG Entropy Gatherer Service' - -diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -index 548750d0f61..a7aaa4f3f9c 100644 ---- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'Enable the OpenSSH Service' - -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -index a2e1affd89d..baa8a448026 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhcos4,ol8,rhel8 -+prodtype: fedora,ol8,rhcos4,rhel8,rhel9 - - title: 'Disable acquiring, saving, and processing core dumps' - - -From ce273a6e9a50893d6cd2d623b74d30cba5c5ad8c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 17:13:54 +0200 -Subject: [PATCH 5/8] More various rules. - ---- - .../files/dir_perms_world_writable_root_owned/rule.yml | 2 +- - .../software/disk_partitioning/encrypt_partitions/rule.yml | 6 ++++-- - .../installed_OS_is_vendor_supported/rule.yml | 4 ++-- - .../crypto/configure_openssl_tls_crypto_policy/rule.yml | 2 +- - .../rule.yml | 2 +- - .../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +- - .../updating/clean_components_post_updating/rule.yml | 2 +- - 7 files changed, 11 insertions(+), 9 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -index 9714947ae47..0a4232cae38 100644 ---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019 - - title: 'Ensure All World-Writable Directories Are Owned by root user' - -diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -index 7730800a0e8..ef544f33d48 100644 ---- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Encrypt Partitions' - -@@ -37,8 +37,10 @@ description: |- - {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/ol8-install-basic.html#install-storage-network") }}}. - {{% elif product in ["sle12", "sle15"] %}} - {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} -- {{% else %}} -+ {{% elif product == "rhel7" %}} - {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. -+ {{% else %}} -+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}. - {{% endif %}} - - rationale: |- -diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -index ac76ba7c5a0..8a36d5691b7 100644 ---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 - - title: 'The Installed Operating System Is Vendor Supported' - -@@ -56,7 +56,7 @@ ocil_clause: 'the installed operating system is not supported' - ocil: |- - To verify that the installed operating system is supported, run - the following command: --{{% if product in ["rhel7", "rhel8"] %}} -+{{% if product.startswith("rhel") %}} -
$ grep -i "red hat" /etc/redhat-release
- {{% elif product in ["ol7", "ol8"] %}} -
$ grep -i "oracle" /etc/oracle-release
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -index c4637d39fed..dfe105771cc 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8 -+prodtype: rhel8,rhel9 - - title: 'Configure OpenSSL library to use TLS Encryption' - -diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -index 4b01cb39e1a..930915327e0 100644 ---- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'The operating system must restrict privilege elevation to authorized personnel' - --prodtype: ol7,ol8,rhel7,rhel8,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15 - - description: |- - The sudo command allows a user to execute programs with elevated -diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -index eede35be8a1..d17f33852db 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'Ensure invoking users password for privilege escalation when using sudo' - --prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15 - - description: |- - The sudoers security policy requires that users authenticate themselves before they can use sudo. -diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -index 34723d0e2a5..d0289b311c6 100644 ---- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions' - - -From 255ee86df41e9d5e8ee427ff28e214833796f156 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 17:15:51 +0200 -Subject: [PATCH 6/8] Enabled zIPL rules for RHEL9. - -There are indications that zIPL will remain the default bootloader for x390, and the project is very conservative. ---- - .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 +- - .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +- - .../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +- - .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 2 +- - .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 +- - .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +- - .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -index c2fb5ba678c..987a42d31ec 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -index 6548c352acc..cfb8c08f31d 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -index c3f032d8cbb..b8b025f74f4 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Ensure all zIPL boot entries are BLS compliant' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -index 13192cd8ca5..c8133e19ab4 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Ensure zIPL bootmap is up to date' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -index 42c1c8aecd5..c626f6188cd 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Enable page allocator poisoning in zIPL' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -index 2f9b04f7a27..d266165cddc 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Enable SLUB/SLAB allocator poisoning in zIPL' - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -index f90a0fb4141..387f7f13850 100644 ---- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel8,rhcos4 -+prodtype: rhcos4,rhel8,rhel9 - - title: 'Disable vsyscalls in zIPL' - - -From 807dbda2042184d6d2e602506e846bb3a19a775d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 17:40:30 +0200 -Subject: [PATCH 7/8] Enabled more audit rules for RHEL9. - -Component maintainers have reported that there are no breaking changes in the audit configuration. ---- - .../system/auditing/policy_rules/audit_access_failed/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_access_success/rule.yml | 2 +- - .../auditing/policy_rules/audit_basic_configuration/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_create_failed/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_create_success/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_delete_failed/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_delete_success/rule.yml | 2 +- - .../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_modify_failed/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_modify_success/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_module_load/rule.yml | 2 +- - .../system/auditing/policy_rules/audit_ospp_general/rule.yml | 2 +- - .../auditing/policy_rules/audit_owner_change_failed/rule.yml | 2 +- - .../auditing/policy_rules/audit_owner_change_success/rule.yml | 2 +- - .../auditing/policy_rules/audit_perm_change_failed/rule.yml | 2 +- - .../auditing/policy_rules/audit_perm_change_success/rule.yml | 2 +- - 16 files changed, 16 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -index 458ac7e0ae6..a0d856b023b 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful file accesses' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -index 064618716e8..6f79a5cf04a 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful file accesses' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -index cce5e83fd6e..bd5d6455351 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure basic parameters of Audit system' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -index 92800b472c7..b2f731d11ba 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful file creations' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -index 59db7b10073..a03a7f3b715 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful file creations' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -index 2f67a150dc5..d4bd88e6cfc 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful file deletions' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -index f54899fb842..6c05a736e39 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful file deletions' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -index 073f29c9fe6..34e9fc134e0 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure immutable Audit login UIDs' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -index 51f9d76f06d..2d0f7cf9da3 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful file modifications' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -index b51acc04dcb..28045878a69 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful file modifications' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -index 20bfca83eee..d764e384ea2 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of loading and unloading of kernel modules' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -index fbf7473cc4c..0a41ece25fc 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Perform general configuration of Audit for OSPP' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -index b0052f8b645..a95c0146b11 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful ownership changes' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -index 3657a32fc3a..4133eb193f2 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful ownership changes' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -index 477c74282d0..47f248a2b36 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of unsuccessful permission changes' - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -index 53ecf9d589a..5017b17849b 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8,rhcos4 -+prodtype: ol8,rhcos4,rhel8,rhel9 - - title: 'Configure auditing of successful permission changes' - - -From 65b2fe65e7143d38f46f782d7e0d49738ad7dd76 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 20 May 2021 17:46:00 +0200 -Subject: [PATCH 8/8] Enabled Grub cmdline rules for RHEL9. - -Those rules are not very specific - they perform basic configuration of kernel parameters. ---- - .../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +- - .../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml | 2 +- - .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 2 +- - .../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +- - .../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -index 39f1bbe285c..03f56b8031d 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,rhel8 -+prodtype: ol8,rhel8,rhel9 - - title: 'Configure kernel to trust the CPU random number generator' - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -index 1516972d72c..f186b1ae6e7 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol8,rhel8 -+prodtype: fedora,ol8,rhel8,rhel9 - - title: 'Enable Kernel Page-Table Isolation (KPTI)' - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -index 9ad81924ceb..0b5873c56a2 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Disable vsyscalls' - -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -index 820e4799f87..9b18bee588f 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Enable page allocator poisoning' - -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -index 182a0cc507c..f6059044f14 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Enable SLUB/SLAB allocator poisoning' - diff --git a/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch b/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch deleted file mode 100644 index 14e8844..0000000 --- a/scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch +++ /dev/null @@ -1,141 +0,0 @@ -From a6bd844c52ccadae91ebcb7c252cf4a153522776 Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Wed, 30 Jun 2021 15:10:13 +0200 -Subject: [PATCH] Enable templates for RHEL9. - -Concerned templates are low-level, underlying components are stable. ---- - shared/templates/audit_rules_file_deletion_events/bash.template | 2 +- - shared/templates/audit_rules_login_events/bash.template | 2 +- - shared/templates/audit_rules_path_syscall/bash.template | 2 +- - shared/templates/audit_rules_privileged_commands/bash.template | 2 +- - .../audit_rules_unsuccessful_file_modification/bash.template | 2 +- - shared/templates/grub2_bootloader_argument/bash.template | 2 +- - shared/templates/kernel_module_disabled/ansible.template | 2 +- - shared/templates/mount/anaconda.template | 2 +- - shared/templates/mount_option/anaconda.template | 2 +- - .../mount_option_removable_partitions/anaconda.template | 2 +- - shared/templates/zipl_bls_entries_option/ansible.template | 2 +- - shared/templates/zipl_bls_entries_option/bash.template | 2 +- - 12 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template -index c387624cfb..851b0fd43e 100644 ---- a/shared/templates/audit_rules_file_deletion_events/bash.template -+++ b/shared/templates/audit_rules_file_deletion_events/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template -index 065e8bb288..69e8be9c50 100644 ---- a/shared/templates/audit_rules_login_events/bash.template -+++ b/shared/templates/audit_rules_login_events/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template -index c3d31aade9..656d168ddd 100644 ---- a/shared/templates/audit_rules_path_syscall/bash.template -+++ b/shared/templates/audit_rules_path_syscall/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template -index 42e12671ac..85dbc9b828 100644 ---- a/shared/templates/audit_rules_privileged_commands/bash.template -+++ b/shared/templates/audit_rules_privileged_commands/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template -index e89ac0749c..daf146f7eb 100644 ---- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template -+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template -index bac84526ee..965fe5bac0 100644 ---- a/shared/templates/grub2_bootloader_argument/bash.template -+++ b/shared/templates/grub2_bootloader_argument/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - - {{% if product in ["rhel7", "ol7"] %}} - {{% if '/' in ARG_NAME %}} -diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template -index 72f7ae18bf..2526baf737 100644 ---- a/shared/templates/kernel_module_disabled/ansible.template -+++ b/shared/templates/kernel_module_disabled/ansible.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle - # reboot = true - # strategy = disable - # complexity = low -diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template -index 5093c926da..fdcb4ee3e8 100644 ---- a/shared/templates/mount/anaconda.template -+++ b/shared/templates/mount/anaconda.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - # reboot = false - # strategy = enable - # complexity = low -diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template -index 0a54865e12..083b0ef008 100644 ---- a/shared/templates/mount_option/anaconda.template -+++ b/shared/templates/mount_option/anaconda.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - # reboot = false - # strategy = enable - # complexity = low -diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template -index b4510ae804..8665fb913a 100644 ---- a/shared/templates/mount_option_removable_partitions/anaconda.template -+++ b/shared/templates/mount_option_removable_partitions/anaconda.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - # reboot = false - # strategy = enable - # complexity = low -diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template -index 7e73d391de..336775e4f8 100644 ---- a/shared/templates/zipl_bls_entries_option/ansible.template -+++ b/shared/templates/zipl_bls_entries_option/ansible.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 8 -+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 - # reboot = true - # strategy = configure - # complexity = medium -diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template -index 81bbb7884b..25cd7432c9 100644 ---- a/shared/templates/zipl_bls_entries_option/bash.template -+++ b/shared/templates/zipl_bls_entries_option/bash.template -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 8 -+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 - - # Correct BLS option using grubby, which is a thin wrapper around BLS operations - grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}" diff --git a/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch b/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch deleted file mode 100644 index d633eaf..0000000 --- a/scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001 -From: Alex Haydock -Date: Sun, 30 May 2021 19:16:11 +0100 -Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS - ---- - .../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++ - .../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++ - rhel8/profiles/cis.profile | 2 +- - 3 files changed, 37 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml - create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var - -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -new file mode 100644 -index 00000000000..5571c92a679 ---- /dev/null -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -0,0 +1,20 @@ -+documentation_complete: true -+ -+title: 'Ensure Sudo Logfile Exists - sudo logfile' -+ -+description: |- -+ A custom logfile can be configured for sudo with the logfile tag. -+ -+rationale: |- -+ A sudo log file simplifies auditing of sudo commands. -+ -+severity: medium -+ -+identifiers: -+ cis@rhel8: 1.3.3 -+ -+template: -+ name: sudo_defaults_option -+ vars: -+ option: logfile -+ variable_name: var_sudo_logfile -diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var -new file mode 100644 -index 00000000000..65b23b5f3c2 ---- /dev/null -+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var -@@ -0,0 +1,16 @@ -+documentation_complete: true -+ -+title: 'Sudo - logfile value' -+ -+description: |- -+ Specify the sudo logfile to use. The default value used here matches the example -+ location from CIS, which uses /var/log/sudo.log. -+ -+interactive: false -+ -+type: string -+ -+operator: equals -+ -+options: -+ default: "/var/log/sudo.log" -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index ec9cbfa0a3d..411083d6e71 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -132,7 +132,7 @@ selections: - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220 - - ### 1.3.3 Ensure sudo log file exists (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221 -+ - sudo_custom_logfile - - ## 1.4 Filesystem Integrity Checking - - -From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001 -From: Alex Haydock -Date: Sun, 30 May 2021 20:46:58 +0100 -Subject: [PATCH 2/5] Update rule with OCIL parameters - ---- - .../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -index 5571c92a679..de0ecb98a76 100644 ---- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -8,11 +8,18 @@ description: |- - rationale: |- - A sudo log file simplifies auditing of sudo commands. - --severity: medium -+severity: low - - identifiers: - cis@rhel8: 1.3.3 - -+ocil_clause: 'logfile is not enabled in sudo' -+ -+ocil: |- -+ To determine if logfile has been configured for sudo, run the following command: -+
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
-+ The command should return a matching output. -+ - template: - name: sudo_defaults_option - vars: - -From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001 -From: Alex Haydock -Date: Mon, 31 May 2021 11:44:13 +0100 -Subject: [PATCH 3/5] Use references field for CIS rather than identifiers - ---- - .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -index de0ecb98a76..afce7f1867c 100644 ---- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -10,7 +10,7 @@ rationale: |- - - severity: low - --identifiers: -+references: - cis@rhel8: 1.3.3 - - ocil_clause: 'logfile is not enabled in sudo' - -From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001 -From: Alex Haydock -Date: Tue, 1 Jun 2021 11:28:08 +0100 -Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule - ---- - .../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++- - shared/references/cce-redhat-avail.txt | 2 -- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -index afce7f1867c..d08b7891293 100644 ---- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml -@@ -3,14 +3,21 @@ documentation_complete: true - title: 'Ensure Sudo Logfile Exists - sudo logfile' - - description: |- -- A custom logfile can be configured for sudo with the logfile tag. -+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures -+ a sudo custom logfile at the default location suggested by CIS, which uses -+ /var/log/sudo.log. - - rationale: |- - A sudo log file simplifies auditing of sudo commands. - - severity: low - -+identifiers: -+ cce@rhel7: CCE-83600-7 -+ cce@rhel8: CCE-83601-5 -+ - references: -+ cis@rhel7: 5.2.3 - cis@rhel8: 1.3.3 - - ocil_clause: 'logfile is not enabled in sudo' -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index ae54d0ee0b2..e74b6779509 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -94,8 +94,6 @@ CCE-83594-2 - CCE-83595-9 - CCE-83596-7 - CCE-83599-1 --CCE-83600-7 --CCE-83601-5 - CCE-83606-4 - CCE-83608-0 - CCE-83609-8 - -From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001 -From: Alex Haydock -Date: Tue, 1 Jun 2021 16:19:45 +0100 -Subject: [PATCH 5/5] Allow users to override sudo logfile location with - tailoring - ---- - linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var -index 65b23b5f3c2..7c5d02d37eb 100644 ---- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var -+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var -@@ -6,7 +6,7 @@ description: |- - Specify the sudo logfile to use. The default value used here matches the example - location from CIS, which uses /var/log/sudo.log. - --interactive: false -+interactive: true - - type: string - diff --git a/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch b/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch new file mode 100644 index 0000000..79a2711 --- /dev/null +++ b/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch @@ -0,0 +1,55 @@ +From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 27 Jul 2021 15:20:08 -0400 +Subject: [PATCH] Remove FragmentPath check from service_disabled + +In https://github.com/systemd/systemd/issues/582 it is documented that +systemd could eventually replace FragmentPath=/dev/null (on masked +services) with the actual service path -- not the fully (symlink) +resolved path as is currently the case. + +This matches the behavior currently seen in Ubuntu (all versions) and +RHEL 9/Fedora 34. + +Per discussion with Gabriel, Matej, Richard, and Matt, it is best to +remove this check, especially since ActiveState=Masked suffices. + +Resolves: #7280 +Resolves: #7248 + +Signed-off-by: Alexander Scheel +--- + shared/templates/service_disabled/oval.template | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template +index 33b52518307..e4ccb0566e7 100644 +--- a/shared/templates/service_disabled/oval.template ++++ b/shared/templates/service_disabled/oval.template +@@ -13,7 +13,6 @@ + + + +- + + + +@@ -41,18 +40,6 @@ + masked + + +- +- +- +- +- +- ^{{{ SERVICENAME }}}\.(service|socket)$ +- FragmentPath +- +- +- /dev/null +- +- + {{% else %}} + + {{% if init_system != "systemd" %}} diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 46a9fb6..bbdac9c 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,25 +1,25 @@ +# SSG build system and tests count with build directory name `build`. +# For more details see: +# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds +%global _vpath_builddir build + Name: scap-security-guide -Version: 0.1.56 -Release: 3%{?dist} +Version: 0.1.57 +Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 -Patch1: scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch -Patch2: scap-security-guide-0.1.57-build-system-pr-7025.patch -Patch3: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch -Patch4: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch -Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch -Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch -Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch -Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch -Patch9: scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch BuildArch: noarch +Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch + BuildRequires: libxslt BuildRequires: expat BuildRequires: openscap-scanner >= 1.2.5 BuildRequires: cmake >= 2.8 +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 BuildRequires: python%{python3_pkgversion} BuildRequires: python%{python3_pkgversion}-jinja2 BuildRequires: python%{python3_pkgversion}-PyYAML @@ -46,7 +46,7 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. -%if %{defined rhel} +%if ( %{defined rhel} && (! %{defined centos}) ) %package rule-playbooks Summary: Ansible playbooks per each rule. Group: System Environment/Base @@ -56,27 +56,21 @@ Requires: %{name} = %{version}-%{release} The %{name}-rule-playbooks package contains individual ansible playbooks per rule. %endif -# Temporarily needed to apply the profile stub patch (identifiers were sorted) -%global _default_patch_fuzz 1 %prep %autosetup -p1 +%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF +%define cmake_defines_specific %{nil} +%if 0%{?rhel} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON +%endif +%if 0%{?centos} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON +%endif + +mkdir -p build %build -%cmake \ --DSSG_PRODUCT_DEFAULT=OFF \ --DSSG_PRODUCT_RHEL9=ON \ --DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \ --DSSG_BASH_SCRIPTS_ENABLED=OFF \ -%if %{defined centos} --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ -%else --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -%endif --DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ -%if %{defined rhel} --DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ -%endif --DSSG_BUILD_SCAP_12_DS=OFF +%cmake %{cmake_defines_common} %{cmake_defines_specific} %cmake_build %install @@ -90,7 +84,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %{_datadir}/%{name}/ansible/*.yml %lang(en) %{_mandir}/man8/scap-security-guide.8.* %doc %{_docdir}/%{name}/LICENSE -%if %{defined rhel} +%if ( %{defined rhel} && (! %{defined centos}) ) %exclude %{_datadir}/%{name}/ansible/rule_playbooks %endif @@ -98,13 +92,17 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html -%if %{defined rhel} +%if ( %{defined rhel} && (! %{defined centos}) ) %files rule-playbooks %defattr(-,root,root,-) %{_datadir}/%{name}/ansible/rule_playbooks %endif %changelog +* Wed Jul 28 2021 Matej Tyc - 0.1.57-1 +- Upgrade to the latest upstream release +- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts. + * Wed Jul 07 2021 Matej Tyc - 0.1.56-3 - Introduced the playbooks subpackage. - Enabled CentOS content on CentOS systems. diff --git a/sources b/sources index cad4a93..cbe33b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (scap-security-guide-0.1.56.tar.bz2) = 1c876f1a8e03f3f68de8fd5a8fd020567f0eecb1fb8b9c9f754453c2f22278944f50d06c0f4e771020e2e25facf6cecb1044d3ddb12e531428ca5aacfec3c86c +SHA512 (scap-security-guide-0.1.57.tar.bz2) = e0f030445cc8c629f94be156581a3732abb104e2e5a57a92c64e7fa168b2107e60ee8edfcf8d715c339180317f09378317d031d575673b5384f16208528d66a2