18 changed files with 376 additions and 47800 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/scap-security-guide-0.1.69.tar.bz2
+SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
+SOURCES/scap-security-guide-0.1.73.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -1 +1,2 @@
-60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
+b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
+de6e660b1e837d2b2b99487bf377fa259b027b49 SOURCES/scap-security-guide-0.1.73.tar.bz2
--- a/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch
+++ b/SOURCES/scap-security-guide-0.1.69-add-almalinux9-product.patch
--- a/SOURCES/scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
+++ b/SOURCES/scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
@ -1,91 +0,0 @@
-From d98cffdc7ebd3c266e71ead933d401188ef0d66a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:05:37 +0100
-Subject: [PATCH 07/14] Add rule `package_s-nail-installed`
-
-Patch-name: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
-Patch-status: Add rule `package_s-nail-installed`
---
- components/s-nail.yml                         |  5 +++
- .../srg_gpos/SRG-OS-000363-GPOS-00150.yml     |  1 +
- .../mail/package_s-nail_installed/rule.yml    | 33 +++++++++++++++++++
- shared/references/cce-redhat-avail.txt        |  1 -
- 4 files changed, 39 insertions(+), 1 deletion(-)
- create mode 100644 components/s-nail.yml
- create mode 100644 linux_os/guide/services/mail/package_s-nail_installed/rule.yml
-
-diff --git a/components/s-nail.yml b/components/s-nail.yml
-new file mode 100644
-index 0000000000..d93f8c52dc
--- /dev/null
-+++ b/components/s-nail.yml
-@@ -0,0 +1,5 @@
-+name: s-nail
-+packages:
-+- s-nail
-+rules:
-+- package_s-nail_installed
-diff --git a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
-index 3ffba82f03..05a10a2304 100644
--- a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
-+++ b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
-@@ -7,4 +7,5 @@ controls:
-         rules:
-             - aide_periodic_cron_checking
-             - package_aide_installed
-+            - package_s-nail_installed
-         status: automated
-diff --git a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
-new file mode 100644
-index 0000000000..e14fbc9f35
--- /dev/null
-+++ b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
-@@ -0,0 +1,33 @@
-+documentation_complete: true
-+
-+prodtype: rhel9
-+
-+title: 'The s-nail Package Is Installed'
-+
-+description: |-
-+    A mail server is required for sending emails.
-+    {{{ describe_package_install(package="s-nail") }}}
-+
-+rationale: |-
-+    Emails can be used to notify designated personnel about important
-+    system events such as failures or warnings.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel9: CCE-86608-7
-+
-+references:
-+    disa: CCI-001744
-+    nist: CM-3(5)
-+    srg: SRG-OS-000363-GPOS-00150
-+
-+ocil_clause: 'the package is not installed'
-+
-+ocil: '{{{ ocil_package(package="s-nail") }}}'
-+
-+template:
-+    name: package_installed
-+    vars:
-+        pkgname: s-nail
-+
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index ef6afd3fbe..538d9d488d 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -315,7 +315,6 @@ CCE-86604-6
- CCE-86605-3
- CCE-86606-1
- CCE-86607-9
-CCE-86608-7
- CCE-86609-5
- CCE-86610-3
- CCE-86612-9
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
+++ b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
@ -1,52 +0,0 @@
-From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 8 Aug 2023 15:15:21 +0200
-Subject: [PATCH] Remove kernel cmdline check
-
-The OVAL in rule enable_fips_mode contains multiple checks. One
-of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
-Although this is useful for latest RHEL versions, this file doesn't
-exist on RHEL 8.6 and 9.0. This causes that the rule fails after
-remediation on these RHEL versions.
-
-We want the same OVAL behavior on all minor RHEL releases, therefore
-we will remove this test from the OVAL completely.
-
-Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
- .../fips/enable_fips_mode/oval/shared.xml         | 15 ---------------
- 1 file changed, 15 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-@@ -12,8 +12,6 @@
-         comment="system cryptography policy is configured"/>
-       <criterion test_ref="test_system_crypto_policy_value"
-         comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
-      <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
-        comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
-       {{% if "ol" in product or "rhel" in product %}}
-       <criteria operator="OR">
-         <criteria operator="AND">
-@@ -57,19 +55,6 @@
-     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
-   </ind:textfilecontent54_state>
- 
-  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
-    check="all" check_existence="all_exist"
-    comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
-    <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
-    <ind:state state_ref="state_fips_1_argument_in_captured_group" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
-    <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-   <ind:variable_test id="test_system_crypto_policy_value" version="1"
-     check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
-     <ind:object object_ref="obj_system_crypto_policy_value" />
--- a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
+++ b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
@ -1,272 +0,0 @@
-From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt <maburgha@redhat.com>
-Date: Thu, 27 Jul 2023 10:02:08 +0200
-Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
-
-This commit only improves readability without any technical impact in
-the OVAL logic.
---
- .../fips/enable_fips_mode/oval/shared.xml     | 81 ++++++++++++-------
- 1 file changed, 50 insertions(+), 31 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-@@ -1,32 +1,38 @@
- <def-group>
-  <definition class="compliance" id="enable_fips_mode" version="1">
-+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
-     <criteria operator="AND">
-      <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
-      <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
-      <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
-      <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
-      <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
-      <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
-+      <extend_definition definition_ref="etc_system_fips_exists"
-+        comment="check /etc/system-fips exists"/>
-+      <extend_definition definition_ref="sysctl_crypto_fips_enabled"
-+        comment="check sysctl crypto.fips_enabled = 1"/>
-+      <extend_definition definition_ref="enable_dracut_fips_module"
-+        comment="Dracut FIPS module is enabled"/>
-+      <extend_definition definition_ref="configure_crypto_policy"
-+        comment="system cryptography policy is configured"/>
-+      <criterion test_ref="test_system_crypto_policy_value"
-+        comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
-+      <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
-+        comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
-       {{% if "ol" in product or "rhel" in product %}}
-       <criteria operator="OR">
-         <criteria operator="AND">
-          <extend_definition comment="Generic test for s390x architecture"
-          definition_ref="system_info_architecture_s390_64" />
-          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
-          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
-+          <extend_definition definition_ref="system_info_architecture_s390_64"
-+            comment="Generic test for s390x architecture"/>
-+          <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
-+            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
-         </criteria>
-         <criteria operator="AND">
-           <criteria negate="true">
-            <extend_definition comment="Generic test for NOT s390x architecture"
-            definition_ref="system_info_architecture_s390_64" />
-+            <extend_definition definition_ref="system_info_architecture_s390_64"
-+              comment="Generic test for NOT s390x architecture"/>
-           </criteria>
-           {{% if product in ["ol8", "rhel8"] %}}
-          <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
-          test_ref="test_grubenv_fips_mode" />
-+          <criterion test_ref="test_grubenv_fips_mode"
-+            comment="check if the kernel boot parameter is configured for FIPS mode"/>
-           {{% else %}}
-          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
-          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
-+          <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
-+            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
-           {{% endif %}}
-         </criteria>
-       </criteria>
-@@ -34,58 +40,71 @@
-     </criteria>
-   </definition>
- 
-  <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
-  comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
-  check="all" check_existence="all_exist" version="1">
-+  <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
-+    check="all" check_existence="all_exist"
-+    comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
-     <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
-     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
-   </ind:textfilecontent54_test>
-+
-   <ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
-     <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
-+
-   <ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
-     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
-   </ind:textfilecontent54_state>
-  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
-  comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
-  check="all" check_existence="all_exist" version="1">
-+
-+  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
-+    check="all" check_existence="all_exist"
-+    comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
-     <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
-     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
-   </ind:textfilecontent54_test>
-+
-   <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
-     <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-     <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-  <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
-+  <ind:variable_test id="test_system_crypto_policy_value" version="1"
-+    check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
-     <ind:object object_ref="obj_system_crypto_policy_value" />
-     <ind:state state_ref="ste_system_crypto_policy_value" />
-   </ind:variable_test>
-+
-   <ind:variable_object id="obj_system_crypto_policy_value" version="1">
-     <ind:var_ref>var_system_crypto_policy</ind:var_ref>
-   </ind:variable_object>
-  <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
-+
-+  <ind:variable_state id="ste_system_crypto_policy_value" version="2"
-+    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
-   {{% if product in ["ol9","rhel9"] -%}}
-     <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
-   {{%- else %}}
-  {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
-+  {{# Legacy and more relaxed list of crypto policies that were historically considered
-+      FIPS-compatible. More recent products should use the more restricted list of options #}}
-     <ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
-   {{%- endif %}}
-   </ind:variable_state>
-+
-   {{% if product in ["ol8","rhel8"] %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
-  comment="Fips mode selected in running kernel opts" version="1">
-+  <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
-+    check="all" check_existence="all_exist"
-+    comment="Fips mode selected in running kernel opts">
-     <ind:object object_ref="obj_grubenv_fips_mode" />
-   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
-  version="1">
-+
-+  <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
-     <ind:filepath>/boot/grub2/grubenv</ind:filepath>
-     <ind:pattern operation="pattern match">fips=1</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
-   {{% endif %}}
-  <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
-+
-+  <external_variable id="var_system_crypto_policy" version="1"
-+    datatype="string" comment="defined crypto policy"/>
- </def-group>
-
-From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
-From: Marcus Burghardt <maburgha@redhat.com>
-Date: Thu, 27 Jul 2023 10:20:33 +0200
-Subject: [PATCH 2/2] Improve OVAL comments for better readability
-
-Simplified the comments and aligned the respective lines to the
-project Style Guides.
---
- .../fips/enable_fips_mode/oval/shared.xml     | 31 ++++++++++---------
- 1 file changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-@@ -3,36 +3,36 @@
-     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
-     <criteria operator="AND">
-       <extend_definition definition_ref="etc_system_fips_exists"
-        comment="check /etc/system-fips exists"/>
-+        comment="check /etc/system-fips file existence"/>
-       <extend_definition definition_ref="sysctl_crypto_fips_enabled"
-        comment="check sysctl crypto.fips_enabled = 1"/>
-+        comment="check option crypto.fips_enabled = 1 in sysctl"/>
-       <extend_definition definition_ref="enable_dracut_fips_module"
-        comment="Dracut FIPS module is enabled"/>
-+        comment="dracut FIPS module is enabled"/>
-       <extend_definition definition_ref="configure_crypto_policy"
-         comment="system cryptography policy is configured"/>
-       <criterion test_ref="test_system_crypto_policy_value"
-        comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
-+        comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
-       <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
-        comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
-+        comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
-       {{% if "ol" in product or "rhel" in product %}}
-       <criteria operator="OR">
-         <criteria operator="AND">
-           <extend_definition definition_ref="system_info_architecture_s390_64"
-            comment="Generic test for s390x architecture"/>
-+            comment="generic test for s390x architecture"/>
-           <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
-            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
-+            comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
-         </criteria>
-         <criteria operator="AND">
-           <criteria negate="true">
-             <extend_definition definition_ref="system_info_architecture_s390_64"
-              comment="Generic test for NOT s390x architecture"/>
-+              comment="generic test for non-s390x architecture"/>
-           </criteria>
-           {{% if product in ["ol8", "rhel8"] %}}
-           <criterion test_ref="test_grubenv_fips_mode"
-             comment="check if the kernel boot parameter is configured for FIPS mode"/>
-           {{% else %}}
-           <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
-            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
-+            comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
-           {{% endif %}}
-         </criteria>
-       </criteria>
-@@ -42,7 +42,7 @@
- 
-   <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
-     check="all" check_existence="all_exist"
-    comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
-+    comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
-     <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
-     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
-   </ind:textfilecontent54_test>
-@@ -59,7 +59,7 @@
- 
-   <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
-     check="all" check_existence="all_exist"
-    comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
-+    comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
-     <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
-     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
-   </ind:textfilecontent54_test>
-@@ -71,7 +71,7 @@
-   </ind:textfilecontent54_object>
- 
-   <ind:variable_test id="test_system_crypto_policy_value" version="1"
-    check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
-+    check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
-     <ind:object object_ref="obj_system_crypto_policy_value" />
-     <ind:state state_ref="ste_system_crypto_policy_value" />
-   </ind:variable_test>
-@@ -81,7 +81,8 @@
-   </ind:variable_object>
- 
-   <ind:variable_state id="ste_system_crypto_policy_value" version="2"
-    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
-+    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
-+to a crypto policy module that further restricts the modified crypto policy.">
-   {{% if product in ["ol9","rhel9"] -%}}
-     <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
-   {{%- else %}}
-@@ -94,7 +95,7 @@
-   {{% if product in ["ol8","rhel8"] %}}
-   <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
-     check="all" check_existence="all_exist"
-    comment="Fips mode selected in running kernel opts">
-+    comment="FIPS mode is selected in running kernel options">
-     <ind:object object_ref="obj_grubenv_fips_mode" />
-   </ind:textfilecontent54_test>
- 
-@@ -106,5 +107,5 @@
-   {{% endif %}}
- 
-   <external_variable id="var_system_crypto_policy" version="1"
-    datatype="string" comment="defined crypto policy"/>
-+    datatype="string" comment="variable which selects the crypto policy"/>
- </def-group>
--- a/SOURCES/scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
+++ b/SOURCES/scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
@ -1,263 +0,0 @@
-From 09b4ceaba513e23ee933349f8a89b9c9b7dc1c26 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 6 Dec 2023 10:02:00 +0100
-Subject: [PATCH 14/14] Add variable support to `auditd_name_format` rule
-
-Patch-name: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
-Patch-status: Add variable support to `auditd_name_format` rule
---
- controls/srg_gpos.yml                         |   1 +
- .../auditd_name_format/ansible/shared.yml     |   7 +-
- .../auditd_name_format/bash/shared.sh         |   7 +-
- .../auditd_name_format/oval/shared.xml        |  49 ++++-
- .../auditd_name_format/rule.yml               |  23 ++-
- .../var_auditd_flush.var                      |   2 +-
- .../var_auditd_name_format.var                |  18 ++
- products/rhel7/profiles/stig.profile          |   1 +
- products/rhel8/profiles/stig.profile          |   1 +
- .../data/profile_stability/rhel8/stig.profile |   1 +
- .../profile_stability/rhel8/stig_gui.profile  |   1 +
- 15 files changed, 289 insertions(+), 24 deletions(-)
- create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
-
-diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
-index 1be70cf332..45fe8635c0 100644
--- a/controls/srg_gpos.yml
-+++ b/controls/srg_gpos.yml
-@@ -29,3 +29,4 @@ controls:
-             - var_auditd_space_left_action=email
-             - login_banner_text=dod_banners
-             - var_authselect_profile=sssd
-+            - var_auditd_name_format=stig
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
-index c933228357..015e9d6eff 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
-@@ -10,9 +10,14 @@
-   {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
- {{%- endif %}}
- 
-+{{{ ansible_instantiate_variables("var_auditd_name_format") }}}
-+
-+- name: "{{{ rule_title }}} - Define Value to Be Used in the Remediation"
-+  ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0] }}"
-+
- {{{ ansible_set_config_file(file=auditd_conf_path,
-                   parameter="name_format",
-                  value="hostname",
-+                  value="{{ auditd_name_format_split }}",
-                   create=true,
-                   separator=" = ",
-                   separator_regex="\s*=\s*",
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
-index 67a1203dd5..a08fddc901 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
-@@ -10,9 +10,14 @@
-   {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
- {{%- endif %}}
- 
-+
-+{{{ bash_instantiate_variables("var_auditd_name_format") }}}
-+
-+var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
-+
- {{{set_config_file(path=auditd_conf_path,
-                   parameter="name_format",
-                  value="hostname",
-+                  value="$var_auditd_name_format",
-                   create=true,
-                   insensitive=true,
-                   separator=" = ",
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
-index 1bb86958fa..a98a46773b 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
-@@ -3,10 +3,47 @@
- {{% else %}}
- {{% set audisp_conf_file = "/auditd.conf" %}}
- {{% endif %}}
-+<def-group>
-+  <definition class="compliance" id="auditd_name_format" version="1">
-+    <metadata>
-+    <title>Set type of computer node name logging in audit logs</title>
-+    <affected family="unix">
-+    <platform>multi_platform_all</platform>
-+    </affected>
-+        <description>Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in {{{ audisp_conf_path + audisp_conf_file }}}</description>
-+    </metadata>
-+    <criteria comment="The respective application or service is configured correctly"
-+    operator="OR"><criterion comment="Check the name_format in {{{ audisp_conf_path + audisp_conf_file }}}"
-+  test_ref="test_auditd_name_format" />
-+    </criteria>
-+  </definition>
- 
-{{{ oval_check_config_file(
-    path=audisp_conf_path + audisp_conf_file,
-    prefix_regex="^[ \\t]*(?i)",
-    parameter="name_format",
-    value="(?i)hostname(?-i)",
-    separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+    comment="tests the value of name_format setting in the {{{ audisp_conf_path + audisp_conf_file }}} file"
-+    id="test_auditd_name_format" version="1">
-+    <ind:object object_ref="obj_auditd_name_format" />
-+    <ind:state state_ref="state_auditd_name_format" />
-+  </ind:textfilecontent54_test>
-+
-+  <ind:textfilecontent54_object id="obj_auditd_name_format" version="1">
-+    <ind:filepath>{{{ audisp_conf_path + audisp_conf_file }}}</ind:filepath>
-+    <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+  <ind:textfilecontent54_state id="state_auditd_name_format" version="1">
-+    <ind:subexpression operation="pattern match" var_ref="var_auditd_name_format_regex" />
-+  </ind:textfilecontent54_state>
-+
-+  <local_variable datatype="string" id="var_auditd_name_format_regex" version="1"
-+  comment="Build regex to be case insensitive">
-+    <concat>
-+      <literal_component>(?i)</literal_component>
-+      <variable_component var_ref="var_auditd_name_format"/>
-+    </concat>
-+  </local_variable>
-+
-+  <external_variable comment="audit name_format setting" datatype="string"
-+  id="var_auditd_name_format" version="1" />
-+
-+</def-group>
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
-index 76a908f28f..4ee80e3d07 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
-@@ -1,11 +1,11 @@
- documentation_complete: true
- 
-title: 'Set hostname as computer node name in audit logs'
-+title: 'Set type of computer node name logging in audit logs'
- 
- description: |-
-    To configure Audit daemon to use value returned by gethostname
-    syscall as computer node name in the audit events,
-    set <tt>name_format</tt> to <tt>hostname</tt>
-+    To configure Audit daemon to use a unique identifier
-+    as computer node name in the audit events,
-+    set <tt>name_format</tt> to <tt>{{{ xccdf_value("var_auditd_name_format") }}}</tt>
-     in <tt>/etc/audit/auditd.conf</tt>.
- 
- rationale: |-
-@@ -32,17 +32,22 @@ references:
-     stigid@rhel8: RHEL-08-030062
-     stigid@rhel9: RHEL-09-653060
- 
-ocil_clause: name_format isn't set to hostname
-+ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}}
- 
- ocil: |-
-    To verify that Audit Daemon is configured to record the hostname
-    in audit events, run the following command:
-+    To verify that Audit Daemon is configured to record the computer node
-+    name in the audit events, run the following command:
-     <pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>
-     The output should return the following:
-    <pre>name_format = hostname</pre>
-+    <pre>name_format = {{{ xccdf_value("var_auditd_name_format") }}}</pre>
-+
-+warnings:
-+    - general: |-
-+        Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example
-+        <pre>A|B|C</pre>, the first value will be used when remediating this rule.
- 
- fixtext: |-
-    {{{ fixtext_audit_configuration(param="name_format", value="hostname") | indent(4) }}}
-+    {{{ fixtext_audit_configuration(param="name_format", value=xccdf_value("var_auditd_name_format")) | indent(4) }}}
- 
- srg_requirement: |-
-     {{{ full_name }}} must label all off-loaded audit logs before sending them to the central log server.
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
-index 3ae67d484a..f7b0bc5b8f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
-@@ -13,5 +13,5 @@ options:
-     default: data
-     incremental: incremental
-     incremental_async: incremental_async
-    none: none
-+    none: "none"
-     sync: sync
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
-new file mode 100644
-index 0000000000..75cc597038
--- /dev/null
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
-@@ -0,0 +1,18 @@
-+documentation_complete: true
-+
-+title: 'Type of hostname to record the audit event'
-+
-+description: 'Type of hostname to record the audit event'
-+
-+type: string
-+
-+interactive: false
-+
-+options:
-+    default: hostname
-+    hostname: hostname
-+    fqd: fqd
-+    numeric: numeric
-+    user: user
-+    none: "none"
-+    stig: hostname|fqd|numeric
-diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
-index 6483dfe3da..1e1e50765a 100644
--- a/products/rhel7/profiles/stig.profile
-+++ b/products/rhel7/profiles/stig.profile
-@@ -335,6 +335,7 @@ selections:
-     - accounts_authorized_local_users
-     - auditd_overflow_action
-     - auditd_name_format
-+    - var_auditd_name_format=stig
-     - sebool_ssh_sysadm_login
-     - sudoers_default_includedir
-     - package_aide_installed
-diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
-index 0e136784a1..3914fae78f 100644
--- a/products/rhel8/profiles/stig.profile
-+++ b/products/rhel8/profiles/stig.profile
-@@ -707,6 +707,7 @@ selections:
- 
-     # RHEL-08-030062
-     - auditd_name_format
-+    - var_auditd_name_format=stig
- 
-     # RHEL-08-030063
-     - auditd_log_format
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 7aabec8694..60dc9d3a50 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -473,6 +473,7 @@ selections:
- - var_auditd_disk_error_action=rhel8
- - var_auditd_max_log_file_action=syslog
- - var_auditd_disk_full_action=rhel8
-+- var_auditd_name_format=stig
- - var_sssd_certificate_verification_digest_function=sha1
- - login_banner_text=dod_banners
- - var_authselect_profile=sssd
-diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
-index bef1437536..b77c8eab2f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
-+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
-@@ -481,6 +481,7 @@ selections:
- - var_auditd_disk_error_action=rhel8
- - var_auditd_max_log_file_action=syslog
- - var_auditd_disk_full_action=rhel8
-+- var_auditd_name_format=stig
- - var_sssd_certificate_verification_digest_function=sha1
- - login_banner_text=dod_banners
- - var_authselect_profile=sssd
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
+++ b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
@ -1,21 +0,0 @@
-From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 15 Aug 2023 15:17:16 +0200
-Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
-
-rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
---
- controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
-index d5fe6e1327b..9d9dc579fc4 100644
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
-+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
-@@ -7,6 +7,4 @@ controls:
-         rules:
-             - sshd_enable_pam
-             - sysctl_crypto_fips_enabled
-            - harden_sshd_ciphers_openssh_conf_crypto_policy
-            - harden_sshd_macs_openssh_conf_crypto_policy
-         status: automated
--- a/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
+++ b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
@ -1,30 +0,0 @@
-From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 17 Aug 2023 10:50:09 +0200
-Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
-
---
- products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
- products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
-index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
-+++ b/products/rhel8/profiles/anssi_bp28_high.profile
-@@ -17,3 +17,5 @@ description: |-
- 
- selections:
-     - anssi:all:high
-+    # the following rule renders UEFI systems unbootable
-+    - '!sebool_secure_mode_insmod'
-diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
-index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
-+++ b/products/rhel9/profiles/anssi_bp28_high.profile
-@@ -17,3 +17,5 @@ description: |-
- 
- selections:
-     - anssi:all:high
-+    # the following rule renders UEFI systems unbootable
-+    - '!sebool_secure_mode_insmod'
--- a/SOURCES/scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
+++ b/SOURCES/scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
@ -1,104 +0,0 @@
-From cfbc85e51f15d106dd3cf03ef2fc7cd4f3c5d251 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:05:37 +0100
-Subject: [PATCH 06/14] Update sshd_approved_ciphers value for RHEL in STIG
- profile
-
-Patch-name: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
-Patch-status: Update sshd_approved_ciphers value for RHEL in STIG profile
---
- controls/srg_gpos.yml                               | 2 +-
- products/rhel8/profiles/stig.profile                | 2 +-
- tests/data/profile_stability/rhel8/stig.profile     | 6 +++---
- tests/data/profile_stability/rhel8/stig_gui.profile | 6 +++---
- 4 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
-index 65d58d5291..1be70cf332 100644
--- a/controls/srg_gpos.yml
-+++ b/controls/srg_gpos.yml
-@@ -20,7 +20,7 @@ controls:
-             - var_password_hashing_algorithm=SHA512
-             - var_password_pam_dictcheck=1
-             - sshd_approved_macs=stig_extended
-            - sshd_approved_ciphers=stig
-+            - sshd_approved_ciphers=stig_extended
-             - sshd_idle_timeout_value=10_minutes
-             - var_accounts_authorized_local_users_regex=rhel8
-             - var_account_disable_post_pw_expiration=35
-diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
-index 5be8fb8127..0e136784a1 100644
--- a/products/rhel8/profiles/stig.profile
-+++ b/products/rhel8/profiles/stig.profile
-@@ -51,7 +51,7 @@ selections:
-     - var_password_pam_minlen=15
-     - var_sshd_set_keepalive=1
-     - sshd_approved_macs=stig_extended
-    - sshd_approved_ciphers=stig
-+    - sshd_approved_ciphers=stig_extended
-     - sshd_idle_timeout_value=10_minutes
-     - var_accounts_authorized_local_users_regex=rhel8
-     - var_accounts_passwords_pam_faillock_deny=3
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 3fe7cdf4ea..7aabec8694 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -1,6 +1,6 @@
- description: 'This profile contains configuration checks that align to the
- 
-    DISA STIG for Red Hat Enterprise Linux 8 V1R9.
-+    DISA STIG for Red Hat Enterprise Linux 8 V1R11.
- 
- 
-     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
-@@ -22,7 +22,7 @@ description: 'This profile contains configuration checks that align to the
-     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
- extends: null
- metadata:
-    version: V1R10
-+    version: V1R11
-     SMEs:
-     - mab879
-     - ggbecker
-@@ -455,7 +455,7 @@ selections:
- - var_password_pam_retry=3
- - var_sshd_set_keepalive=1
- - sshd_approved_macs=stig_extended
-- sshd_approved_ciphers=stig
-+- sshd_approved_ciphers=stig_extended
- - sshd_idle_timeout_value=10_minutes
- - var_accounts_authorized_local_users_regex=rhel8
- - var_accounts_passwords_pam_faillock_deny=3
-diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
-index 66ada8588f..bef1437536 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
-+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
-@@ -1,6 +1,6 @@
- description: 'This profile contains configuration checks that align to the
- 
-    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9.
-+    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
- 
- 
-     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
-@@ -33,7 +33,7 @@ description: 'This profile contains configuration checks that align to the
-     standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
- extends: null
- metadata:
-    version: V1R10
-+    version: V1R11
-     SMEs:
-     - mab879
-     - ggbecker
-@@ -463,7 +463,7 @@ selections:
- - var_password_pam_retry=3
- - var_sshd_set_keepalive=1
- - sshd_approved_macs=stig_extended
-- sshd_approved_ciphers=stig
-+- sshd_approved_ciphers=stig_extended
- - sshd_idle_timeout_value=10_minutes
- - var_accounts_authorized_local_users_regex=rhel8
- - var_accounts_passwords_pam_faillock_deny=3
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
+++ b/SOURCES/scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
@ -1,212 +0,0 @@
-From f0998f93828e756111294eb4c733fad77febd493 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 6 Dec 2023 10:31:53 +0100
-Subject: [PATCH 15/15] Update ssh stig HMACS and Ciphers allowed in OL8 STIG
-
-Patch-name: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
-Patch-status: Update ssh stig HMACS and Ciphers allowed in OL8 STIG
---
- linux_os/guide/services/ssh/sshd_approved_ciphers.var        | 1 +
- .../tests/rhel8_stig_correct.pass.sh                         | 5 +++--
- .../tests/rhel8_stig_empty_policy.fail.sh                    | 2 +-
- .../tests/rhel8_stig_incorrect_policy.fail.sh                | 2 +-
- .../tests/rhel8_stig_missing_file.fail.sh                    | 2 +-
- .../harden_sshd_macs_openssh_conf_crypto_policy/rule.yml     | 4 ++--
- .../tests/stig_correct.pass.sh                               | 5 +++--
- .../tests/stig_correct_commented.fail.sh                     | 5 +++--
- .../stig_correct_followed_by_incorrect_commented.pass.sh     | 5 +++--
- .../stig_incorrect_followed_by_correct_commented.fail.sh     | 5 +++--
- .../rule.yml                                                 | 4 ++--
- products/ol8/profiles/stig.profile                           | 4 ++--
- 12 files changed, 25 insertions(+), 19 deletions(-)
-
-diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
-index 65c3fde987..4ab4d36cef 100644
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
-+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
-@@ -12,6 +12,7 @@ interactive: false
- 
- options:
-     stig: aes256-ctr,aes192-ctr,aes128-ctr
-+    stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
-     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
-     cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
-     cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
-index c84e0c1576..34b69406a3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
-@@ -1,8 +1,9 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
-+
-+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
- 
-sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
- configfile=/etc/crypto-policies/back-ends/opensshserver.config
- correct_value="-oCiphers=${sshd_approved_ciphers}"
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
-index 66483e898a..60b4616ce5 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
- 
- configfile=/etc/crypto-policies/back-ends/opensshserver.config
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
-index e350ce5f0a..3eca150b3f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
- 
- configfile=/etc/crypto-policies/back-ends/opensshserver.config
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
-index 11b194db03..f8659efcf0 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
-@@ -1,6 +1,6 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
- 
- configfile=/etc/crypto-policies/back-ends/opensshserver.config
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
-index 8736e39afc..547c31545e 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
-@@ -12,7 +12,7 @@ description: |-
-     To check that Crypto Policies settings are configured correctly, ensure that
-     <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
-     line and is not commented out:
-    <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
-+    <tt>MACs {{{ xccdf_value("sshd_approved_macs") }}}</tt>
- 
- rationale: |-
-     Overriding the system crypto policy makes the behavior of the OpenSSH
-@@ -38,7 +38,7 @@ ocil: |-
-     To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
-     <pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
-     and verify that the line matches:
-    <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
-+    <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
- 
- warnings:
-     - general: |-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
-index 6edae50924..49d18486f3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
-@@ -1,8 +1,9 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-+
-+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
- 
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
- configfile=/etc/crypto-policies/back-ends/openssh.config
- 
- # Ensure directory + file is there
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
-index 0fec46a5c3..b068e2ea4d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
-@@ -1,8 +1,9 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-+
-+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
- 
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
- configfile=/etc/crypto-policies/back-ends/openssh.config
- 
- # Ensure directory + file is there
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
-index 95bf94331c..f57f422701 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
-@@ -1,8 +1,9 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-+
-+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
- 
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
- configfile=/etc/crypto-policies/back-ends/openssh.config
- 
- # Ensure directory + file is there
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
-index 4af43d60e7..999463e1c2 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
-@@ -1,8 +1,9 @@
- #!/bin/bash
- # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
-# profiles = xccdf_org.ssgproject.content_profile_stig
-+# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-+
-+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
- 
-sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
- incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
- configfile=/etc/crypto-policies/back-ends/openssh.config
- 
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
-index f08f120f9a..a76cee71d8 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
-@@ -12,7 +12,7 @@ description: |-
-     To check that Crypto Policies settings are configured correctly, ensure that
-     <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
-     text and is not commented out:
-    <tt>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</tt>
-+    <tt>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</tt>
- 
- rationale: |-
-     Overriding the system crypto policy makes the behavior of the OpenSSH
-@@ -38,7 +38,7 @@ ocil: |-
-     To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
-     <pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
-     and verify that the line matches:
-    <pre>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</pre>
-+    <pre>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</pre>
- 
- warnings:
-     - general: |-
-diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
-index ae2795c4fb..2be62c59ca 100644
--- a/products/ol8/profiles/stig.profile
-+++ b/products/ol8/profiles/stig.profile
-@@ -38,8 +38,8 @@ selections:
-     - var_password_pam_retry=3
-     - var_password_pam_minlen=15
-     - var_sshd_set_keepalive=0
-    - sshd_approved_macs=stig
-    - sshd_approved_ciphers=stig
-+    - sshd_approved_macs=stig_extended
-+    - sshd_approved_ciphers=stig_extended
-     - sshd_idle_timeout_value=10_minutes
-     - var_accounts_authorized_local_users_regex=ol8
-     - var_accounts_passwords_pam_faillock_deny=3
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
@ -1,158 +0,0 @@
-From 1927922065ba7cab8e389d6b2e4ec014be491bed Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:05:37 +0100
-Subject: [PATCH 09/14] Add cron.deny Owership Rules
-
-Patch-name: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
-Patch-status: Add cron.deny Owership Rules
---
- components/cronie.yml                         |  2 +
- .../srg_gpos/SRG-OS-000480-GPOS-00227.yml     |  2 +
- .../file_groupowner_cron_deny/rule.yml        | 39 ++++++++++++++++++
- .../cron_and_at/file_owner_cron_deny/rule.yml | 41 +++++++++++++++++++
- shared/references/cce-redhat-avail.txt        |  2 -
- 5 files changed, 84 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
- create mode 100644 linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
-
-diff --git a/components/cronie.yml b/components/cronie.yml
-index c11edb518e..b8bf7f264a 100644
--- a/components/cronie.yml
-+++ b/components/cronie.yml
-@@ -8,6 +8,8 @@ rules:
- - disable_anacron
- - file_at_deny_not_exist
- - file_cron_deny_not_exist
-+- file_owner_cron_deny
-+- file_groupowner_cron_deny
- - file_groupowner_at_allow
- - file_groupowner_cron_allow
- - file_groupowner_cron_d
-diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-index be60a154c1..d78256777c 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-@@ -64,6 +64,8 @@ controls:
-             - file_permissions_ungroupowned
-             - dir_perms_world_writable_root_owned
-             - no_files_unowned_by_user
-+            - file_owner_cron_deny
-+            - file_groupowner_cron_deny
- 
-             # service disabled
-             # - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
-diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
-new file mode 100644
-index 0000000000..7cacc3fc7b
--- /dev/null
-+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
-@@ -0,0 +1,39 @@
-+documentation_complete: true
-+
-+prodtype: rhel9
-+
-+title: 'Verify Group Who Owns cron.deny'
-+
-+description: |-
-+    {{{ describe_file_group_owner(file="/etc/cron.deny", group="root") }}}
-+
-+rationale: |-
-+    Service configuration files enable or disable features of their respective services that if configured incorrectly
-+    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
-+    correct group to prevent unauthorized changes.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel9: CCE-86537-8
-+
-+
-+references:
-+    disa: CCI-000366
-+    nist: CM-6 b
-+    srg: SRG-OS-000480-GPOS-00227
-+
-+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
-+
-+ocil: |-
-+    {{{ ocil_file_group_owner(file="/etc/cron.deny", group="root") }}}
-+
-+fixtext: '{{{ fixtext_file_group_owner(file="/etc/cron.deny/", group="root") }}}'
-+
-+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/cron.deny", group="root") }}}'
-+
-+template:
-+    name: file_groupowner
-+    vars:
-+        filepath: /etc/cron.deny
-+        gid_or_name: '0'
-diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
-new file mode 100644
-index 0000000000..4297313a74
--- /dev/null
-+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
-@@ -0,0 +1,41 @@
-+documentation_complete: true
-+
-+prodtype: rhel9
-+
-+title: 'Verify Owner on cron.deny'
-+
-+description: |-
-+    {{{ describe_file_owner(file="/etc/cron.deny", owner="root") }}}
-+
-+rationale: |-
-+    Service configuration files enable or disable features of their respective services that if configured incorrectly
-+    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
-+    correct user to prevent unauthorized changes.
-+
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel9: CCE-86887-7
-+
-+references:
-+    disa: CCI-000366
-+    nist: CM-6 b
-+    srg: SRG-OS-000480-GPOS-00227
-+
-+
-+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'
-+
-+ocil: |-
-+    {{{ ocil_file_owner(file="/etc/cron.deny", owner="root") }}}
-+
-+fixtext: '{{{ fixtext_file_owner(file="/etc/cron.deny/", owner="root") }}}'
-+
-+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/cron.deny", owner="root") }}}'
-+
-+template:
-+    name: file_owner
-+    vars:
-+        filepath: /etc/cron.deny
-+        fileuid: '0'
-+
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 60663b117a..8ae1e4186f 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -259,7 +259,6 @@ CCE-86528-7
- CCE-86530-3
- CCE-86535-2
- CCE-86536-0
-CCE-86537-8
- CCE-86538-6
- CCE-86539-4
- CCE-86540-2
-@@ -516,7 +515,6 @@ CCE-86880-2
- CCE-86881-0
- CCE-86882-8
- CCE-86886-9
-CCE-86887-7
- CCE-86888-5
- CCE-86889-3
- CCE-86890-1
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
--- a/SOURCES/scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
@ -1,26 +0,0 @@
-From eb4cedf1097bb556134a03648a99c60b16fa4726 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:22:29 +0100
-Subject: [PATCH 12/14] Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
-
-Patch-name: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
-Patch-status: Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
---
- .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml      | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-index fef91a47df..3df07a5689 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
-@@ -45,6 +45,7 @@ references:
-     nist-csf: PR.AC-4,PR.DS-5
-     pcidss: Req-7.1
-     pcidss4: "2.2.6"
-+    srg: SRG-OS-000480-GPOS-00227
-     stigid@rhel9: RHEL-09-212030
- 
- ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}'
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
+++ b/SOURCES/scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
@ -1,26 +0,0 @@
-From 89c7d9f8e9837383047b036c9a42a9986590f307 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:22:29 +0100
-Subject: [PATCH 11/14] Add var_networkmanager_dns_mode to RHEL 9 STIG
-
-Patch-name: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
-Patch-status: Add var_networkmanager_dns_mode to RHEL 9 STIG
---
- controls/stig_rhel9.yml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
-index 0966ebb6fc..b576ba08c3 100644
--- a/controls/stig_rhel9.yml
-+++ b/controls/stig_rhel9.yml
-@@ -1516,6 +1516,7 @@ controls:
-         title: RHEL 9 must configure a DNS processing mode set be Network Manager.
-         rules:
-             - networkmanager_dns_mode
-+            - var_networkmanager_dns_mode=none
-         status: automated
- 
-     -   id: RHEL-09-252045
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
+++ b/SOURCES/scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
@ -1,294 +0,0 @@
-From 6f11431ae6ff21170b11e6777141cbe33a8ffe42 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:05:37 +0100
-Subject: [PATCH 08/14] New Rule networkmanager_dns_mode
-
-Patch-name: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
-Patch-status: New Rule networkmanager_dns_mode
---
- components/networkmanager.yml                 |  5 +++
- .../srg_gpos/SRG-OS-000480-GPOS-00227.yml     |  4 +++
- .../system/network/networkmanager/group.yml   |  7 ++++
- .../ansible/shared.yml                        | 14 ++++++++
- .../networkmanager_dns_mode/bash/shared.sh    | 11 ++++++
- .../networkmanager_dns_mode/oval/shared.xml   | 12 +++++++
- .../policy/stig/shared.yml                    | 15 ++++++++
- .../networkmanager_dns_mode/rule.yml          | 34 +++++++++++++++++++
- .../tests/correct.pass.sh                     |  8 +++++
- .../tests/correct_default.pass.sh             |  8 +++++
- .../tests/missing.fail.sh                     |  4 +++
- .../tests/wrong_value.fail.sh                 |  8 +++++
- .../var_networkmanager_dns_mode.var           | 19 +++++++++++
- shared/applicability/package.yml              |  2 ++
- shared/references/cce-redhat-avail.txt        |  1 -
- 15 files changed, 151 insertions(+), 1 deletion(-)
- create mode 100644 components/networkmanager.yml
- create mode 100644 linux_os/guide/system/network/networkmanager/group.yml
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
- create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
- create mode 100644 linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
-
-diff --git a/components/networkmanager.yml b/components/networkmanager.yml
-new file mode 100644
-index 0000000000..75d54b9490
--- /dev/null
-+++ b/components/networkmanager.yml
-@@ -0,0 +1,5 @@
-+name: NetworkManager
-+packages:
-+- NetworkManager
-+rules:
-+- networkmanager_dns_mode
-diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-index 1aceb0b187..be60a154c1 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
-@@ -225,6 +225,10 @@ controls:
-             - set_firewalld_default_zone
-             - firewalld_sshd_port_enabled
- 
-+            # NetworkManger
-+            - networkmanager_dns_mode
-+            - var_networkmanager_dns_mode=none
-+
-             # misc
-             - enable_authselect
-             - no_host_based_files
-diff --git a/linux_os/guide/system/network/networkmanager/group.yml b/linux_os/guide/system/network/networkmanager/group.yml
-new file mode 100644
-index 0000000000..4abf48ed96
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/group.yml
-@@ -0,0 +1,7 @@
-+documentation_complete: true
-+
-+title: 'Network Manager'
-+
-+description: |-
-+    The NetworkManager daemon configures a variety of network connections.
-+    This section discusses how to configure NetworkManager.
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
-new file mode 100644
-index 0000000000..b416038bd9
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
-@@ -0,0 +1,14 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+
-+{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}
-+
-+{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}
-+
-+- name: "{{{ rule_title }}} - Ensure Network Manager"
-+  ansible.builtin.systemd:
-+      name: NetworkManager
-+      state: reloaded
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
-new file mode 100644
-index 0000000000..88491d288d
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
-@@ -0,0 +1,11 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = medium
-+
-+{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}
-+
-+{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}
-+
-+systemctl reload NetworkManager
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
-new file mode 100644
-index 0000000000..cb07c9a9ed
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
-@@ -0,0 +1,12 @@
-+{{{
-+oval_check_ini_file(
-+    path="/etc/NetworkManager/NetworkManager.conf",
-+    section="main",
-+    parameter="dns",
-+    value="default|none",
-+    missing_parameter_pass=false,
-+    application="NetworkManager",
-+    multi_value=false,
-+    missing_config_file_fail=true
-+)
-+}}}
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
-new file mode 100644
-index 0000000000..b644587b41
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
-@@ -0,0 +1,15 @@
-+checktext: |-
-+    [main]
-+    dns=none
-+
-+    If the dns key under main does not exist or is not set to "none" or "default", this is a finding.
-+
-+fixtext: |-
-+    Configure NetworkManager in RHEL 9 to use a DNS mode.
-+
-+    In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
-+
-+    dns = none
-+
-+srg_requirement: |-
-+    {{ full_name }} must configure a DNS processing mode set be Network Manager.
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
-new file mode 100644
-index 0000000000..8b703cb2f1
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
-@@ -0,0 +1,34 @@
-+documentation_complete: true
-+
-+prodtype: rhel9
-+
-+title: 'NetworkManager DNS Mode Must Be Must Configured'
-+
-+description:
-+    The DNS processing mode in NetworkManager describes how DNS is processed on the system.
-+    Depending the mode some changes the system's DNS may not be respected.
-+
-+rationale:
-+    To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel9: CCE-86805-9
-+
-+references:
-+    disa: CCI-000366
-+    nist: CM-6(b)
-+    srg: SRG-OS-000480-GPOS-00227
-+
-+ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'
-+
-+
-+ocil: |-
-+    Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.
-+
-+    $ NetworkManager --print-config
-+    [main]
-+    dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}
-+
-+platform: package[NetworkManager]
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..7af3e14fc3
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# variables = var_networkmanager_dns_mode = none
-+# packages = NetworkManager
-+
-+cat > /etc/NetworkManager/NetworkManager.conf << EOM
-+[main]
-+dns=none
-+EOM
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
-new file mode 100644
-index 0000000000..a19040e2d5
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# variables = var_networkmanager_dns_mode = default
-+# packages = NetworkManager
-+
-+cat > /etc/NetworkManager/NetworkManager.conf << EOM
-+[main]
-+dns=default
-+EOM
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
-new file mode 100644
-index 0000000000..b81d82c807
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+# variables = var_networkmanager_dns_mode = default
-+
-+sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
-diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..6de904b372
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# variables = var_networkmanager_dns_mode = default
-+# packages = NetworkManager
-+
-+cat > /etc/NetworkManager/NetworkManager.conf << EOM
-+[main]
-+dns=dnsmasq
-+EOM
-diff --git a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
-new file mode 100644
-index 0000000000..1be615dff9
--- /dev/null
-+++ b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
-@@ -0,0 +1,19 @@
-+documentation_complete: true
-+
-+title: 'NetoworkManager DNS Mode'
-+
-+type: string
-+
-+description: |-
-+    This sets how NetworkManager handles DNS.
-+
-+    none -  NetworkManager will not modify resolv.conf.
-+    default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.
-+
-+interactive: true
-+
-+operator: 'equals'
-+
-+options:
-+    none: none
-+    default: default
-diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
-index ee52a50f1f..4718c7cf71 100644
--- a/shared/applicability/package.yml
-+++ b/shared/applicability/package.yml
-@@ -87,3 +87,5 @@ args:
-     pkgname: zypper
-   openssh:
-     pkgname: openssh
-+  networkmanager:
-+    pkgname: NetworkManager
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 538d9d488d..60663b117a 100644
--- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -459,7 +459,6 @@ CCE-86799-4
- CCE-86802-6
- CCE-86803-4
- CCE-86804-2
-CCE-86805-9
- CCE-86806-7
- CCE-86807-5
- CCE-86808-3
-- 
-2.43.0
-
--- a/SOURCES/scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
+++ b/SOURCES/scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
@ -1,67 +0,0 @@
-From 9062da533315a871939f3c22d4154e1f4141d432 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 5 Dec 2023 16:22:30 +0100
-Subject: [PATCH 13/14] Minor modifications to RHEL STIG profiles
-
-Patch-name: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
-Patch-status: Minor modifications to RHEL STIG profiles
---
- controls/stig_rhel9.yml                                         | 2 +-
- .../password_quality/passwd_system-auth_substack/rule.yml       | 1 -
- .../audit_rules_immutable_login_uids/rule.yml                   | 1 +
- .../auditing/policy_rules/audit_immutable_login_uids/rule.yml   | 2 --
- 4 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
-index b576ba08c3..73d9e9e1aa 100644
--- a/controls/stig_rhel9.yml
-+++ b/controls/stig_rhel9.yml
-@@ -4114,7 +4114,7 @@ controls:
-             - medium
-         title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
-         rules:
-            - audit_immutable_login_uids
-+            - audit_rules_immutable_login_uids
-         status: automated
- 
-     -   id: RHEL-09-654275
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
-index 89b82af3f2..55d3e47a54 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
-@@ -19,7 +19,6 @@ references:
-     nist: IA-5(1)(a),IA-5(1).1(v),IA-5(1)(a)
-     srg: SRG-OS-000069-GPOS-00037
-     stigid@ol7: OL07-00-010118
-    stigid@rhel7: RHEL-07-010118
- 
- ocil_clause: '/etc/pam.d/passwd does not implement /etc/pam.d/system-auth'
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
-index 46e249efbb..6a8ea53fc5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
-@@ -33,6 +33,7 @@ references:
-     disa: CCI-000162,CCI-000163,CCI-000164
-     srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
-     stigid@rhel8: RHEL-08-030122
-+    stigid@rhel9: RHEL-09-654270
- 
- ocil_clause: 'the system is not configured to make login UIDs immutable'
- 
-diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
-index 9f2f7dbc11..dbf1015a19 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
-+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
-@@ -35,8 +35,6 @@ references:
-     ospp: FAU_GEN.1.2
-     srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
-     stigid@ol8: OL08-00-030122
-    stigid@rhel8: RHEL-08-030122
-    stigid@rhel9: RHEL-09-654270
- 
- ocil_clause: 'the file does not exist or the content differs'
- 
-- 
-2.43.0
-
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -1,58 +1,33 @@
-# SSG build system and tests count with build directory name `build`.
-# For more details see:
+# Base name of static rhel6 content tarball
+%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
 %global _vpath_builddir build
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly

 Name:		scap-security-guide
-Version:	0.1.69
-Release:	3%{?dist}.alma.1
+Version:	0.1.73
+Release:	1%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
+Group:		Applications/System
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
-# Fix rule enable_fips_mode
-Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
-Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
-# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
-Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
-# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
-Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
-# Update sshd_approved_ciphers value for RHEL in STIG profile
-Patch5:	 scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
-# Add rule `package_s-nail-installed`
-Patch6:	 scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
-# New Rule networkmanager_dns_mode
-Patch7:	 scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
-# Add cron.deny Owership Rules
-Patch8:	 scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
-# Add RHEL 9 STIG
-Patch9:	 scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
-# Add var_networkmanager_dns_mode to RHEL 9 STIG
-Patch10:	scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
-# Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
-Patch11:	scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
-# Minor modifications to RHEL STIG profiles
-Patch12:	scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
-# Add variable support to `auditd_name_format` rule
-Patch13:	scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
-# Update ssh stig HMACS and Ciphers allowed in OL8 STIG
-Patch14:	scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
-BuildArch:	noarch
+# Include tarball with last released rhel6 content
+Source1:	%{_static_rhel6_content}.tar.bz2

-# AlmaLinux 9
-Patch1000:      scap-security-guide-0.1.69-add-almalinux9-product.patch
+BuildArch:	noarch

 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
 BuildRequires:	cmake >= 2.8
-# To get python3 inside the buildroot require its path explicitly in BuildRequires
-BuildRequires: /usr/bin/python3
+BuildRequires:	python3-devel
 BuildRequires:	python%{python3_pkgversion}
 BuildRequires:	python%{python3_pkgversion}-jinja2
 BuildRequires:	python%{python3_pkgversion}-PyYAML
 Requires:	xml-common, openscap-scanner >= 1.2.5
+Obsoletes:	openscap-content < 0:0.9.13
+Provides:	openscap-content

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -68,6 +43,7 @@ further information.

 %package	doc
 Summary:	HTML formatted security guides generated from XCCDF benchmarks
+Group:		System Environment/Base
 Requires:	%{name} = %{version}-%{release}

 %description	doc
@ -75,7 +51,7 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.

-%if %{defined rhel}
+%if ( %{defined rhel} && (! %{defined centos}) )
 %package	rule-playbooks
 Summary:	Ansible playbooks per each rule.
 Group:		System Environment/Base
@ -86,36 +62,48 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
 %endif

 %prep
-%autosetup -p1
+%autosetup -p1 -b1

-%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
-%define cmake_defines_specific %{nil}
-%if 0%{?rhel}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
-%endif
-%if 0%{?centos}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
-%endif
-%if 0%{?almalinux}
-%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_ALMALINUX%{almalinux}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
-%endif
-
-mkdir -p build
 %build
-%cmake %{cmake_defines_common} %{cmake_defines_specific}
+mkdir -p build
+cd build
+%cmake \
+-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
+-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
+-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
+-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
+-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
+%if %{defined centos}
+-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
+%else
+-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
+%endif
+-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
+%if ( %{defined rhel} && (! %{defined centos}) )
+-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
+%endif
+../
 %cmake_build

 %install
+cd build
 %cmake_install
-rm %{buildroot}/%{_docdir}/%{name}/README.md
-rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
+
+# Manually install pre-built rhel6 content
+cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
+cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
+cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}

 %files
 %{_datadir}/xml/scap/ssg/content
 %{_datadir}/%{name}/kickstart
-%{_datadir}/%{name}/ansible/*.yml
+%{_datadir}/%{name}/ansible
+%{_datadir}/%{name}/bash
+%{_datadir}/%{name}/tailoring
 %lang(en) %{_mandir}/man8/scap-security-guide.8.*
 %doc %{_docdir}/%{name}/LICENSE
+%doc %{_docdir}/%{name}/README.md
+%doc %{_docdir}/%{name}/Contributors.md
 %if ( %{defined rhel} && (! %{defined centos}) )
 %exclude %{_datadir}/%{name}/ansible/rule_playbooks
 %endif
@ -124,273 +112,408 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html

-%if %{defined rhel}
+%if ( %{defined rhel} && (! %{defined centos}) )
 %files rule-playbooks
 %defattr(-,root,root,-)
 %{_datadir}/%{name}/ansible/rule_playbooks
 %endif

 %changelog
-* Tue Jan 23 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.69-3.alma.1
- Add AlmaLinux 9 support
+* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
+- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
+- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
+- Fix file path identification in Rsyslog configuration (RHEL-17202)
+- Use a correct chrony server address in STIG profile (RHEL-1814)
+- Don't BuildRequire /usr/bin/python3 (RHEL-2244)

-* Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
- Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)
+* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
+- Unlist profiles no longer maintained in RHEL8.

-* Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
- Fix ANSSI High profile with secure boot (RHBZ#2221697)
+* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
+- Rebase to a new upstream release 0.1.72 (RHEL-25250)
+- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
+- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
+- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
+- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
+- Add rule to terminate idle user sessions after defined time (RHEL-1801)
+- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
+- Add remediation for rule fapolicy_default_deny (RHEL-1817)
+- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
+- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
+- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
+- Update PCI-DSS to v4 (RHEL-1808)
+- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)

-* Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
- Correct URL used to download CVE checks. (RHBZ#2223178)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
- Fixed excess quotes in journald configuration files (RHBZ#2193169)
- Change rules checking home directories to apply only to local users (RHBZ#2203791)
- Change rules checking password age to apply only to local users (RHBZ#2213958)
- Updated man page (RHBZ#2060028)
+* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
+- remove problematic rule from ANSSI High profile (RHBZ#2221695)

-* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
- Fix remediation of audit watch rules (RHBZ#2169441)
- Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
- Unselect rule logind_session_timeout (RHBZ#2169443)
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
+* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
+- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
+- Fixed CCE link URL (RHBZ#2178516)
+- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
+- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
+- Fixed rules related to AIDE configuration (RHBZ#2175684)
+- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
+- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
+- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
+- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
+- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
+- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
+- Fixed excess quotes in journald configuration files (RHBZ#2169857)
+- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
+- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
+- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
+- Correct URL used to download CVE checks (RHBZ#2222583)
+- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
+- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
+- improve checks determining if FIPS mode is enabled (RHBZ#2129100)

-* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
- OSPP: fix rule related to coredump (RHBZ#2081688)
+* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
+- Unselect rule logind_session_timeout (RHBZ#2158404)

-* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
+* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
+- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
+- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
+- Fix levels of CIS rules (RHBZ#2162803)
+- Remove unused RHEL8 STIG control file (RHBZ#2156192)
+- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
+- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
+- Add rule for audit immutable login uids (RHBZ#2151553)
+- Fix remediation of audit watch rules (RHBZ#2119356)
+- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
+- Fix applicability of kerberos rules (RHBZ#2099394)
+- Add support rainer scripts in rsyslog rules (RHBZ#2072444)

-* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
+* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
+- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
+- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
+- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
+- Fix compatibility with Ansible 2.14
+
+* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
+- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
+
+* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
+- Fix Ansible partition conditional (RHBZ#2032403)

 * Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
- OSPP: update rules related to coredumps (RHBZ#2081688)
- OSPP: update rules related to BPF (RHBZ#2081728)
- fix description of require_singleuser_mode (RHBZ#2092799)
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
- OSPP: use minimal Authselect profile(RHBZ#2114979)
+- aligning with the latest STIG update (RHBZ#2112937)
+- OSPP: use Authselect minimal profile (RHBZ#2117192)
+- OSPP: change rules for protecting of boot (RHBZ#2116440)
+- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
+- fix handling of Defaults clause in sudoers (RHBZ#2083109)
+- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
+- fix handling of Rsyslog include directives (RHBZ#2075384)

 * Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
-
-* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules  related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
- Remove rules related to NIS services (RHBZ#2096602)
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
+- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563)
+- Rebase to a new upstream release (RHBZ#2070564)
+
+* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
+- Fix validation of OVAL 5.10 content (RHBZ#2079241)
+- Fix Ansible sysctl remediation (RHBZ#2079241)
+
+* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
+- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
+- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
+
+* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
+- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
+
+* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
+- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)

 * Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
+- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
+- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
+- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)

-* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014561)
- Update description of OSPP profile (RHBZ#2045386)
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
+* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
+- Fix Ansible service disabled tasks (RHBZ#2014485)
+- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)

 * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
- Update GRUB2 rule descriptions (RHBZ#2020623)
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
+- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
+- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
+- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
+- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
+- Update GRUB2 rule descriptions (RHBZ#2014485)
+- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)

 * Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
+- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
+- Align audit rules for OSPP profile (RHBZ#2000264)
+- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)

 * Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Rebase to a new upstream release (RHBZ#2014561)
+- Rebase to a new upstream release (RHBZ#2014485)

-* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014561)
- Enable Centos Stream 9 content (RHBZ#2021284)
+* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
+- Rebase to a new upstream release (RHBZ#2014485)

 * Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
- Rebase to a new upstream release (RHBZ#2014561)
- Disable profiles that we disable in RHEL8
+- Rebase to a new upstream release. (RHBZ#2014485)
 - Add a VM wait handling to fix issues with tests.

-* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix remediations applicability of zipl rules
-  Resolves: rhbz#1996847
+* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
+- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)

-* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
- Fix a broken HTTP link
-  Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
-  Resolves: rhbz#1962564
+* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
+- Fix remaining audit rules file permissions (RHBZ#1993056)
+- Mark a STIG service rule as machine only (RHBZ#1993056)
+- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)

-* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Use SSHD directory-based configuration.
-  Resolves: rhbz#1962564
- Introduce ISM kickstarts
-  Resolves: rhbz#1978290
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
-  TLDR: Enable remediations by means of platform metadata,
-  enable the RHEL9 GPG rule, introduce the s390x platform,
-  fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
-  address the subscription-manager package merge, and
-  enable and select more rules applicable to RHEL9.
-  Resolves: rhbz#1987227
-  Resolves: rhbz#1987226
-  Resolves: rhbz#1987231
-  Resolves: rhbz#1988289
+* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
+- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
+- Include tests for Ansible Playbooks that remove and reintroduce files.
+- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
+- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
+- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
+- Add Kickstart files for ISM profile (RHBZ#1955373)
+- Fix broken RHEL7 documentation links (RHBZ#1966577)

-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
+- Update to the latest upstream release (RHBZ#1966577)
+- Enable the ISM profile.

-* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
+* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
+- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)

-* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Introduced the playbooks subpackage.
- Enabled CentOS content on CentOS systems.
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
+* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
+- Update to the latest upstream release (RHBZ#1966577)
+- Add ANSSI High Profile (RHBZ#1955183)

-* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
+* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
+- Remove Kickstart for not shipped profile (RHBZ#1778188)

-* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
- Upgrade to the latest upstream release
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase
+* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
+- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)

-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
+- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)

-* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
- fix definition of build directory
+* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
+- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)

-* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
+* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
+- Update to the latest upstream release (RHBZ#1889344)
+- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)

-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
+- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
+- Fix RHEL6 CPE dictionary (RHBZ#1899059)
+- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)

-* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
+* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
+- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
+- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
+- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
+- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
+- Disable usbguard rules on s390x architecture (RHBZ#1899059)

-* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
- revert previous rework, it did not solve the problem
+* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
+- Update list of profiles built (RHBZ#1889344)

-* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
- rewrite solution for CMake out of source builds
+* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
+- Update to the latest upstream release (RHBZ#1889344)

-* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
+* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
+- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)

-* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
- Update for new CMake out of source builds
-  https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
+* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
+- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)

-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
+- remove rationale from rules that contain defective links (rhbz#1854854)

-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
+- fixed link in a grub2 rule description (rhbz#1854854)
+- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
+- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)

-* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
+* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
+- Update the scapval invocation (RHBZ#1815007)
+- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
+- Change the spec file macro invocation from patch to Patch
+- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)

-* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
+* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
+- fix description of HIPAA profile (RHBZ#1867559)

-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
+- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
+  - Remove CCM from TLS Ciphersuites

-* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
+* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
+- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)

-* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Hotfix of the XML parsing fix.
+* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
+- Fix rsyslog permissions/ownership rules (RHBZ#1781606)

-* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
- Fixed XML parsing of remediation functions.
+* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
+- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)

-* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
+* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
+- CIS Ansible fixes (RHBZ#1760734)
+- HIPAA Ansible fixes (RHBZ#1832760)

-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
+ - HIPAA Profile (RHBZ#1832760)
+  - Enable build of RHEL8 HIPAA Profile
+  - Add kickstarts for HIPAA
+- CIS Profile (RHBZ#1760734)
+  - Add Ansible fix for sshd_set_max_sessions
+  - Add CIS Profile content attribution to Center for Internet Security

-* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
+* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Fix Ansible for no_direct_root_logins
+- Fix Ansible template for SELinux booleans
+- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)

-* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
-  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
- Update URL and source URL
+* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Update selections in RHEL8 CIS Profile (RHBZ#1760734)

-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
+- Update to the latest upstream release (RHBZ#1815007)

-* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
+* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
+- Update to the latest upstream release (RHBZ#1815007)
+
+* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
+- Update baseline package list of OSPP profile
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
+- Rebuilt with correct spec file
+
+* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
+- Add SRG references to STIG rules (RHBZ#1755447)
+
+* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
+- Drop rsyslog rules from OSPP profile
+- Update COBIT URI
+- Add rules for strong source of RNG entropy
+- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
+- STIG profile: added rsyslog rules and updated SRG mappings
+- Split audit rules according to audit component (RHBZ#1791312)
+
+* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
+- Update crypto-policy test scenarios
+- Update max-path-len test to skip tests/logs directory
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
+- Fix list of tables that are generated for RHEL8
+
+* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
+- Update to latest upstream SCAP-Security-Guide-0.1.48 release
+
+* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
+- Improved the e8 profile (RHBZ#1755194)
+
+* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
+- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
+
+* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
+- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
+
+* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
+- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
+
+* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
+- Update to latest upstream SCAP-Security-Guide-0.1.46 release
+- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
+
+* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
+- Use crypto-policy rules in OSPP profile.
+- Re-enable FIREFOX and JRE product in build.
+- Change test suite logging message about missing profile from ERROR to WARNING.
+- Build only one version of SCAP content at a time.
+
+* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
+- Update to latest upstream SCAP-Security-Guide-0.1.45 release
+
+* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
+- Ported changelog from late 8.0 builds.
+- Disabled build of the OL8 product, updated other components of the cmake invocation.
+
+* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
+- Update to latest upstream SCAP-Security-Guide-0.1.44 release
+
+* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
+- Assign CCE to rules from OSPP profile which were missing the identifier.
+- Fix regular expression for Audit rules ordering
+- Account for Audit rules flags parameter position within syscall
+- Add remediations for Audit rules file path
+- Add Audit rules for modification of /etc/shadow and /etc/gshadow
+- Add Ansible and Bash remediations for directory_access_var_log_audit rule
+- Add a Bash remediation for Audit rules that require ordering
+
+* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
+- Assign CCE identifier to rules used by RHEL8 profiles.
+
+* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
+- Fixed Crypto Policy OVAL for NSS
+- Got rid of rules requiring packages dropped in RHEL8.
+- Profile descriptions fixes.
+
+* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
+- Update applicable platforms in crypto policy tests
+
+* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
+- Introduce Podman backend for SSG Test suite
+- Update bind and libreswan crypto policy test scenarios
+
+* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
+- Further fix of profiles descriptions, so they don't contain literal '\'.
+- Removed obsolete sshd rule from the OSPP profile.
+
+* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
+- Fixed profiles descriptions, so they don't contain literal '\n'.
+- Made the configure_kerberos_crypto_policy OVAL more robust.
+- Made OVAL for libreswan and bind work as expected when those packages are not installed.
+
+* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
+- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
+
+* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
+- Added FIPS mode rule for the OSPP profile.
+- Split the installed_OS_is certified rule.
+- Explicitly disabled OSP13, RHV4 and Example products.
+
+* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
+- Add missing kickstart files for RHEL8
+- Disable profiles that are not in good shape for RHEL8
+
+* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
 - Update to latest upstream SCAP-Security-Guide-0.1.42 release:
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- Fix man page build dependency on derivative content
+- System-wide crypto policies are introduced for RHEL8
+- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.

-* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
+* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
+- Fix man page and package description
+
+* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
 - Update to latest upstream SCAP-Security-Guide-0.1.41 release:
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Fix Licence of this package
+- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles

-* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
-  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
- Update to use Python3 for build.
+* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
+- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
+- Only build content for rhel8 products

-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
+- Update build of rhel8 content

-* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
- Add python version to python2-jinja2 package
+* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
+- Enable build of rhel8 content

-* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
+* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
 - Update to latest upstream SCAP-Security-Guide-0.1.39 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
-
-* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
- Add python version to python package prefixes
+- Fix spec file to build using Python 3
+- Fix License because upstream changed to BSD-3

 * Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
 - Update to latest upstream SCAP-Security-Guide-0.1.38 release:
@ -560,7 +683,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 * Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
 - Add .gitignore for Fedora output directory
 - Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page 
+- Use correct file paths in scap-security-guide(8) manual page
  (RH BZ#1018905, c#10)
 - Apply further changes motivated by scap-security-guide Fedora RPM review
  request (RH BZ#1018905, c#8):