rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
ffdbed0b4e
scap-security-guide/scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
Matej Tyc a300600b35 >Port 8.5 changes to the package to RHEL9 
Also deal with missing CCE issues.

Resolves: rhbz#1962564
2021-07-09 11:23:22 +02:00

11208 lines
492 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 215db1bbe08fdaf1139f563abf9515e8a15a6457 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 10 Jun 2021 19:36:47 +0200
Subject: [PATCH 1/4] Added RHEL9 profiles that are based on RHEL8 profiles.
Unsupported rules are commented out.
---
.../profiles/anssi_bp28_enhanced.profile | 16 +
.../rhel9/profiles/anssi_bp28_high.profile | 15 +
.../profiles/anssi_bp28_intermediary.profile | 15 +
.../rhel9/profiles/anssi_bp28_minimal.profile | 16 +
rhel9/profiles/cis.profile | 1088 +++++++++++++++++
rhel9/profiles/cjis.profile | 139 +++
rhel9/profiles/cui.profile | 32 +
rhel9/profiles/e8.profile | 149 +++
rhel9/profiles/hipaa.profile | 164 +++
rhel9/profiles/ism_o.profile | 134 ++
rhel9/profiles/ospp-mls.profile | 25 +
rhel9/profiles/ospp.profile | 444 +++++++
rhel9/profiles/pci-dss.profile | 134 +-
rhel9/profiles/rht-ccp.profile | 100 ++
rhel9/profiles/standard.profile | 67 +
rhel9/profiles/stig.profile | 1069 ++++++++++++++++
rhel9/profiles/stig_gui.profile | 36 +
17 files changed, 3640 insertions(+), 3 deletions(-)
create mode 100644 rhel9/profiles/anssi_bp28_enhanced.profile
create mode 100644 rhel9/profiles/anssi_bp28_high.profile
create mode 100644 rhel9/profiles/anssi_bp28_intermediary.profile
create mode 100644 rhel9/profiles/anssi_bp28_minimal.profile
create mode 100644 rhel9/profiles/cis.profile
create mode 100644 rhel9/profiles/cjis.profile
create mode 100644 rhel9/profiles/cui.profile
create mode 100644 rhel9/profiles/e8.profile
create mode 100644 rhel9/profiles/hipaa.profile
create mode 100644 rhel9/profiles/ism_o.profile
create mode 100644 rhel9/profiles/ospp-mls.profile
create mode 100644 rhel9/profiles/ospp.profile
create mode 100644 rhel9/profiles/rht-ccp.profile
create mode 100644 rhel9/profiles/standard.profile
create mode 100644 rhel9/profiles/stig.profile
create mode 100644 rhel9/profiles/stig_gui.profile
diff --git a/rhel9/profiles/anssi_bp28_enhanced.profile b/rhel9/profiles/anssi_bp28_enhanced.profile
new file mode 100644
index 00000000000..bbc11353f3b
--- /dev/null
+++ b/rhel9/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:enhanced
+ - '!selinux_state'
diff --git a/rhel9/profiles/anssi_bp28_high.profile b/rhel9/profiles/anssi_bp28_high.profile
new file mode 100644
index 00000000000..560460b55f7
--- /dev/null
+++ b/rhel9/profiles/anssi_bp28_high.profile
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (high)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:high
diff --git a/rhel9/profiles/anssi_bp28_intermediary.profile b/rhel9/profiles/anssi_bp28_intermediary.profile
new file mode 100644
index 00000000000..a5920316735
--- /dev/null
+++ b/rhel9/profiles/anssi_bp28_intermediary.profile
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:intermediary
diff --git a/rhel9/profiles/anssi_bp28_minimal.profile b/rhel9/profiles/anssi_bp28_minimal.profile
new file mode 100644
index 00000000000..cef8394114d
--- /dev/null
+++ b/rhel9/profiles/anssi_bp28_minimal.profile
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+ - anssi:all:minimal
+
diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile
new file mode 100644
index 00000000000..8939011ad1f
--- /dev/null
+++ b/rhel9/profiles/cis.profile
@@ -0,0 +1,1088 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.0
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+
+description: |-
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+ # Necessary for dconf rules
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
+
+ ### Partitioning
+ - mount_option_home_nodev
+
+ ## 1.1 Filesystem Configuration
+
+ ### 1.1.1 Disable unused filesystems
+
+ #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
+ - kernel_module_cramfs_disabled
+
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
+
+
+ #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
+ - kernel_module_squashfs_disabled
+
+ #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
+ - kernel_module_udf_disabled
+
+ ### 1.1.2 Ensure /tmp is configured (Scored)
+ - partition_for_tmp
+
+ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
+ - mount_option_tmp_nodev
+
+ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
+ - mount_option_tmp_nosuid
+
+ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
+ - mount_option_tmp_noexec
+
+ ### 1.1.6 Ensure separate partition exists for /var (Scored)
+ - partition_for_var
+
+ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
+ - partition_for_var_tmp
+
+ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
+ - mount_option_var_tmp_nodev
+
+ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
+ - mount_option_var_tmp_nosuid
+
+ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
+ - mount_option_var_tmp_noexec
+
+ ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
+ - partition_for_var_log
+
+ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
+ - partition_for_var_log_audit
+
+ ### 1.1.13 Ensure separate partition exists for /home (Scored)
+ - partition_for_home
+
+ ### 1.1.14 Ensure nodev option set on /home partition (Scored)
+ - mount_option_home_nodev
+
+ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
+ - mount_option_dev_shm_nodev
+
+ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
+ - mount_option_dev_shm_nosuid
+
+ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
+ - mount_option_dev_shm_noexec
+
+ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
+ - mount_option_nodev_removable_partitions
+
+ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
+ - mount_option_nosuid_removable_partitions
+
+ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
+ - mount_option_noexec_removable_partitions
+
+ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
+ - dir_perms_world_writable_sticky_bits
+
+ ### 1.1.22 Disable Automounting (Scored)
+ - service_autofs_disabled
+
+ ### 1.1.23 Disable USB Storage (Scored)
+ - kernel_module_usb-storage_disabled
+
+ ## 1.2 Configure Software Updates
+
+ ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
+
+ ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
+ - service_rhnsd_disabled
+
+ ### 1.2.3 Ensure GPG keys are configured (Not Scored)
+ - ensure_redhat_gpgkey_installed
+
+ ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
+ - ensure_gpgcheck_globally_activated
+
+ ### 1.2.5 Ensure package manager repositories are configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
+
+ ## 1.3 Configure sudo
+
+ ### 1.3.1 Ensure sudo is installed (Scored)
+ - package_sudo_installed
+
+ ### 1.3.2 Ensure sudo commands use pty (Scored)
+ - sudo_add_use_pty
+
+ ### 1.3.3 Ensure sudo log file exists (Scored)
+ - sudo_custom_logfile
+
+ ## 1.4 Filesystem Integrity Checking
+
+ ### 1.4.1 Ensure AIDE is installed (Scored)
+ - package_aide_installed
+
+ ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
+ - aide_periodic_cron_checking
+
+ ## Secure Boot Settings
+
+ ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
+ #### chown root:root /boot/grub2/grub.cfg
+ - file_owner_grub2_cfg
+ - file_groupowner_grub2_cfg
+
+ #### chmod og-rwx /boot/grub2/grub.cfg
+ - file_permissions_grub2_cfg
+
+ #### chown root:root /boot/grub2/grubenv
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+ #### chmod og-rwx /boot/grub2/grubenv
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
+
+ ### 1.5.2 Ensure bootloader password is set (Scored)
+ - grub2_password
+
+ ### 1.5.3 Ensure authentication required for single user mode (Scored)
+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ - require_singleuser_auth
+
+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ - require_emergency_target_auth
+
+ ## 1.6 Additional Process Hardening
+
+ ### 1.6.1 Ensure core dumps are restricted (Scored)
+ #### * hard core 0
+ - disable_users_coredumps
+
+ #### fs.suid_dumpable = 0
+ - sysctl_fs_suid_dumpable
+
+ #### ProcessSizeMax=0
+# - coredump_disable_backtraces
+
+ #### Storage=none
+# - coredump_disable_storage
+
+ ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
+ - sysctl_kernel_randomize_va_space
+
+ ## 1.7 Mandatory Access Control
+
+ ### 1.7.1 Configure SELinux
+
+ #### 1.7.1.1 Ensure SELinux is installed (Scored)
+ - package_libselinux_installed
+
+ #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
+ - grub2_enable_selinux
+
+ #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
+ - var_selinux_policy_name=targeted
+ - selinux_policytype
+
+ #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
+ - var_selinux_state=enforcing
+ - selinux_state
+
+ #### 1.7.1.5 Ensure no unconfied services exist (Scored)
+ - selinux_confinement_of_daemons
+
+ #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
+ - package_setroubleshoot_removed
+
+ #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
+ - package_mcstrans_removed
+
+ ## Warning Banners
+
+ ### 1.8.1 Command Line Warning Baners
+
+ #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
+ - banner_etc_motd
+
+ #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
+ - banner_etc_issue
+
+ #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
+
+ #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
+ # chmod u-x,go-wx /etc/motd
+ - file_permissions_etc_motd
+
+ #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
+ # chmod u-x,go-wx /etc/issue
+ - file_permissions_etc_issue
+
+ #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
+ # Previously addressed via 'rpm_verify_permissions' rule
+
+ ### 1.8.2 Ensure GDM login banner is configured (Scored)
+ #### banner-message-enable=true
+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM
+
+ #### banner-message-text='<banner message>'
+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM
+
+ ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
+ - security_patches_up_to_date
+
+ ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
+ - var_system_crypto_policy=future
+ - configure_crypto_policy
+
+ ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
+ # Previously addressed via 'configure_crypto_policy' rule
+
+ # Services
+
+ ## 2.1 inetd Services
+
+ ### 2.1.1 Ensure xinetd is not installed (Scored)
+ - package_xinetd_removed
+
+ ## 2.2 Special Purpose Services
+
+ ### 2.2.1 Time Synchronization
+
+ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+ - package_chrony_installed
+
+ #### 2.2.1.2 Ensure chrony is configured (Scored)
+ - service_chronyd_enabled
+ - chronyd_specify_remote_server
+ - chronyd_run_as_chrony_user
+
+ ### 2.2.2 Ensure X Window System is not installed (Scored)
+ - package_xorg-x11-server-common_removed
+ - xwindows_runlevel_target
+
+ ### 2.2.3 Ensure rsync service is not enabled (Scored)
+ - service_rsyncd_disabled
+
+ ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
+ - service_avahi-daemon_disabled
+
+ ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
+ - service_snmpd_disabled
+
+ ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
+ - package_squid_removed
+
+ ### 2.2.7 Ensure Samba is not enabled (Scored)
+ - service_smb_disabled
+
+ ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
+ - service_dovecot_disabled
+
+ ### 2.2.9 Ensure HTTP server is not enabled (Scored)
+ - service_httpd_disabled
+
+ ### 2.2.10 Ensure FTP Server is not enabled (Scored)
+ - service_vsftpd_disabled
+
+ ### 2.2.11 Ensure DNS Server is not enabled (Scored)
+ - service_named_disabled
+
+ ### 2.2.12 Ensure NFS is not enabled (Scored)
+ - service_nfs_disabled
+
+ ### 2.2.13 Ensure RPC is not enabled (Scored)
+ - service_rpcbind_disabled
+
+ ### 2.2.14 Ensure LDAP service is not enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
+
+ ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
+ - service_dhcpd_disabled
+
+ ### 2.2.16 Ensure CUPS is not enabled (Scored)
+ - service_cups_disabled
+
+ ### 2.2.17 Ensure NIS Server is not enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
+
+ ### 2.2.18 Ensure mail transfer agent is configured for
+ ### local-only mode (Scored)
+ - postfix_network_listening_disabled
+
+ ## 2.3 Service Clients
+
+ ### 2.3.1 Ensure NIS Client is not installed (Scored)
+ - package_ypbind_removed
+
+ ### 2.3.2 Ensure telnet client is not installed (Scored)
+ - package_telnet_removed
+
+ ### Ensure LDAP client is not installed
+ - package_openldap-clients_removed
+
+ # 3 Network Configuration
+
+ ## 3.1 Network Parameters (Host Only)
+
+ ### 3.1.1 Ensure IP forwarding is disabled (Scored)
+ #### net.ipv4.ip_forward = 0
+ - sysctl_net_ipv4_ip_forward
+
+ #### net.ipv6.conf.all.forwarding = 0
+ - sysctl_net_ipv6_conf_all_forwarding
+
+ ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
+ #### net.ipv4.conf.all.send_redirects = 0
+ - sysctl_net_ipv4_conf_all_send_redirects
+
+ #### net.ipv4.conf.default.send_redirects = 0
+ - sysctl_net_ipv4_conf_default_send_redirects
+
+ ## 3.2 Network Parameters (Host and Router)
+
+ ### 3.2.1 Ensure source routed packets are not accepted (Scored)
+ #### net.ipv4.conf.all.accept_source_route = 0
+ - sysctl_net_ipv4_conf_all_accept_source_route
+
+ #### net.ipv4.conf.default.accept_source_route = 0
+ - sysctl_net_ipv4_conf_default_accept_source_route
+
+ #### net.ipv6.conf.all.accept_source_route = 0
+ - sysctl_net_ipv6_conf_all_accept_source_route
+
+ #### net.ipv6.conf.default.accept_source_route = 0
+ - sysctl_net_ipv6_conf_default_accept_source_route
+
+ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
+ #### net.ipv4.conf.all.accept_redirects = 0
+ - sysctl_net_ipv4_conf_all_accept_redirects
+
+ #### net.ipv4.conf.default.accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects
+
+ #### net.ipv6.conf.all.accept_redirects = 0
+ - sysctl_net_ipv6_conf_all_accept_redirects
+
+ #### net.ipv6.conf.defaults.accept_redirects = 0
+ - sysctl_net_ipv6_conf_default_accept_redirects
+
+ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+ #### net.ipv4.conf.all.secure_redirects = 0
+ - sysctl_net_ipv4_conf_all_secure_redirects
+
+ #### net.ipv4.cof.default.secure_redirects = 0
+ - sysctl_net_ipv4_conf_default_secure_redirects
+
+ ### 3.2.4 Ensure suspicious packets are logged (Scored)
+ #### net.ipv4.conf.all.log_martians = 1
+ - sysctl_net_ipv4_conf_all_log_martians
+
+ #### net.ipv4.conf.default.log_martians = 1
+ - sysctl_net_ipv4_conf_default_log_martians
+
+ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+
+ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+ #### net.ipv4.conf.all.rp_filter = 1
+ - sysctl_net_ipv4_conf_all_rp_filter
+
+ #### net.ipv4.conf.default.rp_filter = 1
+ - sysctl_net_ipv4_conf_default_rp_filter
+
+ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+ - sysctl_net_ipv4_tcp_syncookies
+
+ ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
+ #### net.ipv6.conf.all.accept_ra = 0
+ - sysctl_net_ipv6_conf_all_accept_ra
+
+ #### net.ipv6.conf.default.accept_ra = 0
+ - sysctl_net_ipv6_conf_default_accept_ra
+
+ ## 3.3 Uncommon Network Protocols
+
+ ### 3.3.1 Ensure DCCP is disabled (Scored)
+ - kernel_module_dccp_disabled
+
+ ### Ensure SCTP is disabled (Scored)
+ - kernel_module_sctp_disabled
+
+ ### 3.3.3 Ensure RDS is disabled (Scored)
+ - kernel_module_rds_disabled
+
+ ### 3.3.4 Ensure TIPC is disabled (Scored)
+ - kernel_module_tipc_disabled
+
+ ## 3.4 Firewall Configuration
+
+ ### 3.4.1 Ensure Firewall software is installed
+
+ #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
+ ##### firewalld
+ - package_firewalld_installed
+
+ ##### nftables
+ #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
+
+ ##### iptables
+ #- package_iptables_installed
+
+ ### 3.4.2 Configure firewalld
+
+ #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
+ - service_firewalld_enabled
+
+ #### 3.4.2.2 Ensure iptables is not enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
+
+ #### 3.4.2.3 Ensure nftables is not enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
+
+ #### 3.4.2.4 Ensure default zone is set (Scored)
+ - set_firewalld_default_zone
+
+ #### 3.4.2.5 Ensure network interfaces are assigned to
+ #### appropriate zone (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
+
+ #### 3.4.2.6 Ensure unnecessary services and ports are not
+ #### accepted (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
+
+ ### 3.4.3 Configure nftables
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
+
+ #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
+
+ #### 3.4.3.2 Ensure a table exists (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
+
+ #### 3.4.3.3 Ensure base chains exist (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
+
+ #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
+
+ #### 3.4.3.5 Ensure outbound and established connections are
+ #### configured (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
+
+ #### 3.4.3.6 Ensure default deny firewall policy (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
+
+ #### 3.4.3.7 Ensure nftables service is enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
+
+ #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
+
+ ### 3.4.4 Configure iptables
+
+ #### 3.4.4.1 Configure IPv4 iptables
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
+
+ ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
+
+ ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
+
+ ##### 3.4.4.1.3 Ensure outbound and established connections are
+ ##### configured (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
+
+ ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
+
+ #### 3.4.4.2 Configure IPv6 ip6tables
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
+
+ ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
+
+ ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
+
+ ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
+ ##### configured (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
+
+ ## 3.5 Ensure wireless interfaces are disabled (Scored)
+ - wireless_disable_interfaces
+
+ ## 3.6 Disable IPv6 (Not Scored)
+ - kernel_module_ipv6_option_disabled
+
+ # Logging and Auditing
+
+ ## 4.1 Configure System Accounting (auditd)
+
+ ### 4.1.1 Ensure auditing is enabled
+
+ #### 4.1.1.1 Ensure auditd is installed (Scored)
+ - package_audit_installed
+
+ #### 4.1.1.2 Ensure auditd service is enabled (Scored)
+ - service_auditd_enabled
+
+ #### 4.1.1.3 Ensure auditing for processes that start prior to audit
+ #### is enabled (Scored)
+ - grub2_audit_argument
+
+ #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
+ - grub2_audit_backlog_limit_argument
+
+ ### 4.1.2 Configure Data Retention
+
+ #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
+ - auditd_data_retention_max_log_file
+
+ #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
+ - auditd_data_retention_max_log_file_action
+
+ #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
+ - var_auditd_space_left_action=email
+ - auditd_data_retention_space_left_action
+
+ ##### action_mail_acct = root
+ - var_auditd_action_mail_acct=root
+ - auditd_data_retention_action_mail_acct
+
+ ##### admin_space_left_action = halt
+ - var_auditd_admin_space_left_action=halt
+ - auditd_data_retention_admin_space_left_action
+
+ ### 4.1.3 Ensure changes to system administration scope
+ ### (sudoers) is collected (Scored)
+ - audit_rules_sysadmin_actions
+
+ ### 4.1.4 Ensure login and logout events are collected (Scored)
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+
+ ### 4.1.5 Ensure session initiation information is collected (Scored)
+ - audit_rules_session_events
+
+ ### 4.1.6 Ensure events that modify date and time information
+ ### are collected (Scored)
+ #### adjtimex
+ - audit_rules_time_adjtimex
+
+ #### settimeofday
+ - audit_rules_time_settimeofday
+
+ #### stime
+ - audit_rules_time_stime
+
+ #### clock_settime
+ - audit_rules_time_clock_settime
+
+ #### -w /etc/localtime -p wa
+ - audit_rules_time_watch_localtime
+
+ ### 4.1.7 Ensure events that modify the system's Mandatory
+ ### Access Control are collected (Scored)
+ #### -w /etc/selinux/ -p wa
+ - audit_rules_mac_modification
+
+ #### -w /usr/share/selinux/ -p wa
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
+
+ ### 4.1.8 Ensure events that modify the system's network
+ ### enironment are collected (Scored)
+ - audit_rules_networkconfig_modification
+
+ ### 4.1.9 Ensure discretionary access control permission modification
+ ### events are collected (Scored)
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_fremovexattr
+
+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+ ### collected (Scored)
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_truncate
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ # Opinionated selection
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+ ### 4.1.11 Ensure events that modify user/group information are
+ ### collected (Scored)
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_shadow
+ - audit_rules_usergroup_modification_opasswd
+
+ ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+ - audit_rules_media_export
+
+ ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+ - audit_rules_privileged_commands
+
+ ### 4.1.14 Ensure file deletion events by users are collected
+ ### (Scored)
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ # Opinionated selection
+ - audit_rules_file_deletion_events_rmdir
+
+ ### 4.1.15 Ensure kernel module loading and unloading is collected
+ ### (Scored)
+ - audit_rules_kernel_module_loading
+
+ ### 4.1.16 Ensure system administrator actions (sudolog) are
+ ### collected (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
+
+ ### 4.1.17 Ensure the audit configuration is immutable (Scored)
+ - audit_rules_immutable
+
+ ## 4.2 Configure Logging
+
+ ### 4.2.1 Configure rsyslog
+
+ #### 4.2.1.1 Ensure rsyslog is installed (Scored)
+ - package_rsyslog_installed
+
+ #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
+ - service_rsyslog_enabled
+
+ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+ - rsyslog_files_permissions
+
+ #### 4.2.1.4 Ensure logging is configured (Not Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
+
+ #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
+ #### log host (Scored)
+ - rsyslog_remote_loghost
+
+ #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
+ #### designated log hosts (Not Scored)
+ - rsyslog_nolisten
+
+ ### 4.2.2 Configure journald
+
+ #### 4.2.2.1 Ensure journald is configured to send logs to
+ #### rsyslog (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
+
+ #### 4.2.2.2 Ensure journald is configured to compress large
+ #### log files (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
+
+
+ #### 4.2.2.3 Ensure journald is configured to write logfiles to
+ #### persistent disk (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
+
+ ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
+
+ ## 4.3 Ensure logrotate is configured (Not Scored)
+
+ # 5 Access, Authentication and Authorization
+
+ ## 5.1 Configure cron
+
+ ### 5.1.1 Ensure cron daemon is enabled (Scored)
+ - service_crond_enabled
+
+
+ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+ # chown root:root /etc/crontab
+ - file_owner_crontab
+ - file_groupowner_crontab
+ # chmod og-rwx /etc/crontab
+ - file_permissions_crontab
+
+ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+ # chown root:root /etc/cron.hourly
+ - file_owner_cron_hourly
+ - file_groupowner_cron_hourly
+ # chmod og-rwx /etc/cron.hourly
+ - file_permissions_cron_hourly
+
+ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+ # chown root:root /etc/cron.daily
+ - file_owner_cron_daily
+ - file_groupowner_cron_daily
+ # chmod og-rwx /etc/cron.daily
+ - file_permissions_cron_daily
+
+ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+ # chown root:root /etc/cron.weekly
+ - file_owner_cron_weekly
+ - file_groupowner_cron_weekly
+ # chmod og-rwx /etc/cron.weekly
+ - file_permissions_cron_weekly
+
+ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+ # chown root:root /etc/cron.monthly
+ - file_owner_cron_monthly
+ - file_groupowner_cron_monthly
+ # chmod og-rwx /etc/cron.monthly
+ - file_permissions_cron_monthly
+
+ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+ # chown root:root /etc/cron.d
+ - file_owner_cron_d
+ - file_groupowner_cron_d
+ # chmod og-rwx /etc/cron.d
+ - file_permissions_cron_d
+
+ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+
+
+ ## 5.2 SSH Server Configuration
+
+ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+ # chown root:root /etc/ssh/sshd_config
+ - file_owner_sshd_config
+ - file_groupowner_sshd_config
+
+ # chmod og-rwx /etc/ssh/sshd_config
+ - file_permissions_sshd_config
+
+ ### 5.2.2 Ensure SSH access is limited (Scored)
+
+
+ ### 5.2.3 Ensure permissions on SSH private host key files are
+ ### configured (Scored)
+ # TO DO: The rule sets to 640, but benchmark wants 600
+ - file_permissions_sshd_private_key
+ # TO DO: check owner of private keys in /etc/ssh is root:root
+
+ ### 5.2.4 Ensure permissions on SSH public host key files are configured
+ ### (Scored)
+ - file_permissions_sshd_pub_key
+ # TO DO: check owner of pub keys in /etc/ssh is root:root
+
+ ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+ - sshd_set_loglevel_info
+
+ ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
+ - sshd_disable_x11_forwarding
+
+ ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+ - sshd_max_auth_tries_value=4
+ - sshd_set_max_auth_tries
+
+ ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
+ - sshd_disable_rhosts
+
+ ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+ - disable_host_auth
+
+ ### 5.2.10 Ensure SSH root login is disabled (Scored)
+ - sshd_disable_root_login
+
+ ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+ - sshd_disable_empty_passwords
+
+ ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+ - sshd_do_not_permit_user_env
+
+ ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
+ # ClientAliveInterval 300
+ - sshd_idle_timeout_value=5_minutes
+ - sshd_set_idle_timeout
+
+ # ClientAliveCountMax 0
+ - var_sshd_set_keepalive=0
+
+ ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
+ ### or less (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
+
+ ### 5.2.15 Ensure SSH warning banner is configured (Scored)
+ - sshd_enable_warning_banner
+
+ ### 5.2.16 Ensure SSH PAM is enabled (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
+
+ ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
+ - sshd_disable_tcp_forwarding
+
+ ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
+
+ ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
+ - sshd_set_max_sessions
+ - var_sshd_max_sessions=4
+
+ ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
+ - configure_ssh_crypto_policy
+
+ ## 5.3 Configure authselect
+
+
+ ### 5.3.1 Create custom authselectet profile (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
+
+ ### 5.3.2 Select authselect profile (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
+
+ ### 5.3.3 Ensure authselect includes with-faillock (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
+
+ ## 5.4 Configure PAM
+
+ ### 5.4.1 Ensure password creation requirements are configured (Scored)
+ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
+ - accounts_password_pam_retry
+ - var_password_pam_minlen=14
+ - accounts_password_pam_minlen
+ - var_password_pam_minclass=4
+ - accounts_password_pam_minclass
+
+ ### 5.4.2 Ensure lockout for failed password attempts is
+ ### configured (Scored)
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+ - var_accounts_passwords_pam_faillock_deny=5
+ - accounts_passwords_pam_faillock_unlock_time
+ - accounts_passwords_pam_faillock_deny
+
+ ### 5.4.3 Ensure password reuse is limited (Scored)
+ - var_password_pam_unix_remember=5
+ - accounts_password_pam_unix_remember
+
+ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
+ - set_password_hashing_algorithm_systemauth
+
+ ## 5.5 User Accounts and Environment
+
+ ### 5.5.1 Set Shadow Password Suite Parameters
+
+ #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
+ - var_accounts_maximum_age_login_defs=365
+ - accounts_maximum_age_login_defs
+
+ #### 5.5.1.2 Ensure minimum days between password changes is 7
+ #### or more (Scored)
+ - var_accounts_minimum_age_login_defs=7
+ - accounts_minimum_age_login_defs
+
+ #### 5.5.1.3 Ensure password expiration warning days is
+ #### 7 or more (Scored)
+ - var_accounts_password_warn_age_login_defs=7
+ - accounts_password_warn_age_login_defs
+
+ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
+ # TODO: Rule doesn't check list of users
+ # https://github.com/ComplianceAsCode/content/issues/5536
+ - var_account_disable_post_pw_expiration=30
+ - account_disable_post_pw_expiration
+
+ #### 5.5.1.5 Ensure all users last password change date is
+ #### in the past (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
+
+ ### 5.5.2 Ensure system accounts are secured (Scored)
+ - no_shelllogin_for_systemaccounts
+
+ ### 5.5.3 Ensure default user shell timeout is 900 seconds
+ ### or less (Scored)
+ - var_accounts_tmout=15_min
+ - accounts_tmout
+
+ ### 5.5.4 Ensure default group for the root account is
+ ### GID 0 (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
+
+ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
+ - var_accounts_user_umask=027
+ - accounts_umask_etc_bashrc
+ - accounts_umask_etc_profile
+
+ ## 5.6 Ensure root login is restricted to system console (Not Scored)
+ - securetty_root_login_console_only
+ - no_direct_root_logins
+
+ ## 5.7 Ensure access to the su command is restricted (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
+
+ # System Maintenance
+
+ ## 6.1 System File Permissions
+
+ ### 6.1.1 Audit system file permissions (Not Scored)
+ - rpm_verify_permissions
+ - rpm_verify_ownership
+
+ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+ # chown root:root /etc/passwd
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
+
+ # chmod 644 /etc/passwd
+ - file_permissions_etc_passwd
+
+ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
+ # chown root:root /etc/shadow
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+
+ # chmod o-rwx,g-wx /etc/shadow
+ - file_permissions_etc_shadow
+
+ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
+ # chown root:root /etc/group
+ - file_owner_etc_group
+ - file_groupowner_etc_group
+
+ # chmod 644 /etc/group
+ - file_permissions_etc_group
+
+ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
+ # chown root:root /etc/gshadow
+ - file_owner_etc_gshadow
+ - file_groupowner_etc_gshadow
+
+ # chmod o-rwx,g-rw /etc/gshadow
+ - file_permissions_etc_gshadow
+
+ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+ # chown root:root /etc/passwd-
+ - file_owner_backup_etc_passwd
+ - file_groupowner_backup_etc_passwd
+
+ # chmod 644 /etc/passwd-
+ - file_permissions_backup_etc_passwd
+
+ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+ # chown root:root /etc/shadow-
+ - file_owner_backup_etc_shadow
+ - file_groupowner_backup_etc_shadow
+
+ # chmod 0000 /etc/shadow-
+ - file_permissions_backup_etc_shadow
+
+ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+ # chown root:root /etc/group-
+ - file_owner_backup_etc_group
+ - file_groupowner_backup_etc_group
+
+ # chmod 644 /etc/group-
+ - file_permissions_backup_etc_group
+
+ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+ # chown root:root /etc/gshadow-
+ - file_owner_backup_etc_gshadow
+ - file_groupowner_backup_etc_gshadow
+
+ # chmod 0000 /etc/gshadow-
+ - file_permissions_backup_etc_gshadow
+
+ ### 6.1.10 Ensure no world writable files exist (Scored)
+ - file_permissions_unauthorized_world_writable
+
+ ### 6.1.11 Ensure no unowned files or directories exist (Scored)
+ - no_files_unowned_by_user
+
+ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
+ - file_permissions_ungroupowned
+
+ ### 6.1.13 Audit SUID executables (Not Scored)
+ - file_permissions_unauthorized_suid
+
+ ### 6.1.14 Audit SGID executables (Not Scored)
+ - file_permissions_unauthorized_sgid
+
+ ## 6.2 User and Group Settings
+
+ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+ - no_legacy_plus_entries_etc_passwd
+
+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+ - no_legacy_plus_entries_etc_shadow
+
+ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+ - no_legacy_plus_entries_etc_group
+
+ ### 6.2.6 Ensure root is the only UID 0 account (Scored)
+ - accounts_no_uid_except_zero
+
+ ### 6.2.7 Ensure users' home directories permissions are 750
+ ### or more restrictive (Scored)
+ - file_permissions_home_dirs
+
+ ### 6.2.8 Ensure users own their home directories (Scored)
+ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
+ - file_groupownership_home_directories
+
+ ### 6.2.9 Ensure users' dot files are not group or world
+ ### writable (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
+
+ ### 6.2.10 Ensure no users have .forward files (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
+
+ ### 6.2.11 Ensure no users have .netrc files (Scored)
+ - no_netrc_files
+
+ ### 6.2.12 Ensure users' .netrc Files are not group or
+ ### world accessible (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
+
+ ### 6.2.13 Ensure no users have .rhosts files (Scored)
+ - no_rsh_trust_files
+
+ ### 6.2.14 Ensure all groups in /etc/passwd exist in
+ ### /etc/group (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
+
+ ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
+
+ ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
+
+ ### 6.2.17 Ensure no duplicate user names exist (Scored)
+ - account_unique_name
+
+ ### 6.2.18 Ensure no duplicate group names exist (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
+
+ ### 6.2.19 Ensure shadow group is empty (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
+
+ ### 6.2.20 Ensure all users' home directories exist (Scored)
+ - accounts_user_interactive_home_directory_exists
diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
new file mode 100644
index 00000000000..1fc531952b6
--- /dev/null
+++ b/rhel9/profiles/cjis.profile
@@ -0,0 +1,139 @@
+documentation_complete: true
+
+metadata:
+ version: 5.4
+ SMEs:
+ - carlosmmatos
+
+reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+title: 'Criminal Justice Information Services (CJIS) Security Policy'
+
+description: |-
+ This profile is derived from FBI's CJIS v5.4
+ Security Policy. A copy of this policy can be found at the CJIS Security
+ Policy Resource Center:
+
+ https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
+
+selections:
+ - service_auditd_enabled
+ - grub2_audit_argument
+ - auditd_data_retention_num_logs
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_action_mail_acct
+ - auditd_audispd_syslog_plugin_activated
+ - audit_rules_time_adjtimex
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_clock_settime
+ - audit_rules_time_watch_localtime
+ - audit_rules_usergroup_modification
+ - audit_rules_networkconfig_modification
+ - file_permissions_var_log_audit
+ - file_ownership_var_log_audit
+ - audit_rules_mac_modification
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_login_events
+ - audit_rules_session_events
+ - audit_rules_unsuccessful_file_modification
+ - audit_rules_privileged_commands
+ - audit_rules_media_export
+ - audit_rules_file_deletion_events
+ - audit_rules_sysadmin_actions
+ - audit_rules_kernel_module_loading
+ - audit_rules_immutable
+ - account_unique_name
+ - gid_passwd_group_same
+ - accounts_password_all_shadowed
+ - no_empty_passwords
+ - display_login_attempts
+ - var_accounts_password_minlen_login_defs=12
+ - var_accounts_maximum_age_login_defs=90
+ - var_password_pam_unix_remember=10
+ - var_account_disable_post_pw_expiration=0
+ - var_password_pam_minlen=12
+ - var_accounts_minimum_age_login_defs=1
+ - var_password_pam_difok=6
+ - var_accounts_max_concurrent_login_sessions=3
+ - account_disable_post_pw_expiration
+ - accounts_password_pam_minlen
+ - accounts_minimum_age_login_defs
+ - accounts_password_pam_difok
+ - accounts_max_concurrent_login_sessions
+ - set_password_hashing_algorithm_systemauth
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+ - file_owner_etc_group
+ - file_groupowner_etc_group
+ - file_permissions_etc_group
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
+ - file_permissions_etc_passwd
+ - file_owner_grub2_cfg
+ - file_groupowner_grub2_cfg
+ - var_password_pam_retry=5
+ - var_accounts_passwords_pam_faillock_deny=5
+ - var_accounts_passwords_pam_faillock_unlock_time=600
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM
+ - sshd_allow_only_protocol2
+ - sshd_set_idle_timeout
+ - var_sshd_set_keepalive=0
+ - disable_host_auth
+ - sshd_disable_root_login
+ - sshd_disable_empty_passwords
+ - sshd_enable_warning_banner
+ - sshd_do_not_permit_user_env
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+ - kernel_module_dccp_disabled
+ - kernel_module_sctp_disabled
+ - service_firewalld_enabled
+ - set_firewalld_default_zone
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
+ - sshd_idle_timeout_value=30_minutes
+ - inactivity_timeout_value=30_minutes
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - var_password_pam_ocredit=1
+ - var_password_pam_dcredit=1
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - package_aide_installed
+ - aide_build_database
+ - aide_periodic_cron_checking
+ - rpm_verify_permissions
+ - rpm_verify_hashes
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - security_patches_up_to_date
+ - kernel_module_bluetooth_disabled
diff --git a/rhel9/profiles/cui.profile b/rhel9/profiles/cui.profile
new file mode 100644
index 00000000000..bf6d9511c17
--- /dev/null
+++ b/rhel9/profiles/cui.profile
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+metadata:
+ version: TBD
+ SMEs:
+ - carlosmmatos
+
+title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
+
+description: |-
+ From NIST 800-171, Section 2.2:
+ Security requirements for protecting the confidentiality of CUI in nonfederal
+ information systems and organizations have a well-defined structure that
+ consists of:
+
+ (i) a basic security requirements section;
+ (ii) a derived security requirements section.
+
+ The basic security requirements are obtained from FIPS Publication 200, which
+ provides the high-level and fundamental security requirements for federal
+ information and information systems. The derived security requirements, which
+ supplement the basic security requirements, are taken from the security controls
+ in NIST Special Publication 800-53.
+
+ This profile configures Red Hat Enterprise Linux 8 to the NIST Special
+ Publication 800-53 controls identified for securing Controlled Unclassified
+ Information (CUI)."
+
+extends: ospp
+
+selections:
+ - inactivity_timeout_value=10_minutes
diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile
new file mode 100644
index 00000000000..30eb9c594ac
--- /dev/null
+++ b/rhel9/profiles/e8.profile
@@ -0,0 +1,149 @@
+documentation_complete: true
+
+metadata:
+ SMEs:
+ - shaneboulden
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+ This profile contains configuration checks for Red Hat Enterprise Linux 8
+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+ A copy of the Essential Eight in Linux Environments guide can be found at the
+ ACSC website:
+
+ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+selections:
+
+ ### Remove obsolete packages
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_xinetd_removed
+ - service_xinetd_disabled
+ - package_ypbind_removed
+ - package_telnet_removed
+ - service_telnet_disabled
+ - package_telnet-server_removed
+ - package_rsh_removed
+ - package_rsh-server_removed
+ - service_zebra_disabled
+ - package_quagga_removed
+ - service_avahi-daemon_disabled
+ - package_squid_removed
+ - service_squid_disabled
+
+ ### Software update
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_never_disabled
+ - ensure_gpgcheck_local_packages
+ - ensure_gpgcheck_globally_activated
+ - security_patches_up_to_date
+ - dnf-automatic_security_updates_only
+
+ ### System security settings
+ - sysctl_kernel_randomize_va_space
+ - sysctl_kernel_exec_shield
+ - sysctl_kernel_kptr_restrict
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_kexec_load_disabled
+ - sysctl_kernel_yama_ptrace_scope
+ - sysctl_kernel_unprivileged_bpf_disabled
+ - sysctl_net_core_bpf_jit_harden
+
+ ### SELinux
+ - var_selinux_state=enforcing
+ - selinux_state
+ - var_selinux_policy_name=targeted
+ - selinux_policytype
+
+ ### Filesystem integrity
+ - rpm_verify_hashes
+ - rpm_verify_permissions
+ - rpm_verify_ownership
+ - file_permissions_unauthorized_sgid
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_world_writable
+ - dir_perms_world_writable_sticky_bits
+ - file_permissions_library_dirs
+ - file_ownership_binary_dirs
+ - file_permissions_binary_dirs
+ - file_ownership_library_dirs
+
+ ### Passwords
+ - no_empty_passwords
+
+ ### Partitioning
+ - mount_option_dev_shm_nodev
+ - mount_option_dev_shm_nosuid
+ - mount_option_dev_shm_noexec
+
+ ### Network
+ - package_firewalld_installed
+ - service_firewalld_enabled
+ - network_sniffer_disabled
+
+ ### Admin privileges
+ - accounts_no_uid_except_zero
+ - sudo_remove_nopasswd
+ - sudo_remove_no_authenticate
+ - sudo_require_authentication
+
+ ### Audit
+ - package_rsyslog_installed
+ - service_rsyslog_enabled
+ - service_auditd_enabled
+ - var_auditd_flush=incremental_async
+ - auditd_data_retention_flush
+ - auditd_local_events
+ - auditd_write_logs
+ - auditd_log_format
+ - auditd_freq
+ - auditd_name_format
+ - audit_rules_login_events_tallylog
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+ - audit_rules_login_events
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_watch_localtime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_execution_restorecon
+ - audit_rules_execution_chcon
+ - audit_rules_execution_semanage
+ - audit_rules_execution_setsebool
+ - audit_rules_execution_setfiles
+ - audit_rules_execution_seunshare
+ - audit_rules_sysadmin_actions
+ - audit_rules_networkconfig_modification
+ - audit_rules_usergroup_modification
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_kernel_module_loading
+
+ ### Secure access
+ - sshd_disable_root_login
+ - sshd_disable_gssapi_auth
+ - sshd_print_last_log
+ - sshd_do_not_permit_user_env
+ - sshd_disable_rhosts
+ - sshd_set_loglevel_info
+ - sshd_disable_empty_passwords
+ - sshd_disable_user_known_hosts
+ - sshd_enable_strictmodes
+
+ # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms
+ - var_system_crypto_policy=default_nosha1
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+
+ ### Application whitelisting
+ - package_fapolicyd_installed
+ - service_fapolicyd_enabled
+
+ ### Backup
+ - package_rear_installed
diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile
new file mode 100644
index 00000000000..7919649d4d5
--- /dev/null
+++ b/rhel9/profiles/hipaa.profile
@@ -0,0 +1,164 @@
+documentation_complete: True
+
+metadata:
+ SMEs:
+ - jjaswanson4
+ - carlosmmatos
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+ The HIPAA Security Rule establishes U.S. national standards to protect individuals
+ electronic personal health information that is created, received, used, or
+ maintained by a covered entity. The Security Rule requires appropriate
+ administrative, physical and technical safeguards to ensure the
+ confidentiality, integrity, and security of electronic protected health
+ information.
+
+ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
+ Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
+selections:
+ - grub2_password
+# - grub2_uefi_password # not supported in RHEL9 ATM
+ - file_groupowner_grub2_cfg
+ - file_permissions_grub2_cfg
+ - file_owner_grub2_cfg
+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM
+ - no_direct_root_logins
+ - no_empty_passwords
+ - require_singleuser_auth
+ - restrict_serial_port_logins
+ - securetty_root_login_console_only
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
+# - dconf_gnome_remote_access_credential_prompt # not supported in RHEL9 ATM
+# - dconf_gnome_remote_access_encryption # not supported in RHEL9 ATM
+ - sshd_disable_empty_passwords
+ - sshd_disable_root_login
+# - libreswan_approved_tunnels # not supported in RHEL9 ATM
+ - no_rsh_trust_files
+ - package_rsh-server_removed
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_telnet_removed
+ - package_telnet-server_removed
+ - package_xinetd_removed
+ - service_crond_enabled
+# - service_rexec_disabled # not supported in RHEL9 ATM
+# - service_rlogin_disabled # not supported in RHEL9 ATM
+ - service_telnet_disabled
+ - service_xinetd_disabled
+ - service_zebra_disabled
+# - use_kerberos_security_all_exports # not supported in RHEL9 ATM
+ - disable_host_auth
+ - sshd_allow_only_protocol2
+ - sshd_disable_compression
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+ - sshd_do_not_permit_user_env
+ - sshd_enable_strictmodes
+ - sshd_enable_warning_banner
+ - var_sshd_set_keepalive=0
+ - encrypt_partitions
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+ - var_selinux_policy_name=targeted
+ - var_selinux_state=enforcing
+ - grub2_enable_selinux
+ - sebool_selinuxuser_execheap
+ - sebool_selinuxuser_execmod
+ - sebool_selinuxuser_execstack
+ - selinux_confinement_of_daemons
+ - selinux_policytype
+ - selinux_state
+ - service_kdump_disabled
+ - sysctl_fs_suid_dumpable
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_exec_shield
+ - sysctl_kernel_randomize_va_space
+ - rpm_verify_hashes
+ - rpm_verify_permissions
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - ensure_gpgcheck_local_packages
+ - grub2_audit_argument
+ - service_auditd_enabled
+ - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_su
+ - audit_rules_immutable
+ - kernel_module_usb-storage_disabled
+ - service_autofs_disabled
+ - auditd_audispd_syslog_plugin_activated
+ - rsyslog_remote_loghost
+ - auditd_data_retention_flush
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_execution_chcon
+ - audit_rules_execution_restorecon
+ - audit_rules_execution_semanage
+ - audit_rules_execution_setsebool
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_rmdir
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_init
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+ - audit_rules_login_events_tallylog
+ - audit_rules_mac_modification
+ - audit_rules_media_export
+ - audit_rules_networkconfig_modification
+ - audit_rules_privileged_commands_chage
+ - audit_rules_privileged_commands_chsh
+ - audit_rules_privileged_commands_crontab
+ - audit_rules_privileged_commands_gpasswd
+ - audit_rules_privileged_commands_newgrp
+ - audit_rules_privileged_commands_pam_timestamp_check
+ - audit_rules_privileged_commands_passwd
+ - audit_rules_privileged_commands_postdrop
+ - audit_rules_privileged_commands_postqueue
+ - audit_rules_privileged_commands_ssh_keysign
+ - audit_rules_privileged_commands_sudoedit
+ - audit_rules_privileged_commands_umount
+ - audit_rules_privileged_commands_unix_chkpwd
+ - audit_rules_privileged_commands_userhelper
+ - audit_rules_session_events
+ - audit_rules_sysadmin_actions
+ - audit_rules_system_shutdown
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_watch_localtime
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_truncate
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
new file mode 100644
index 00000000000..592be03783f
--- /dev/null
+++ b/rhel9/profiles/ism_o.profile
@@ -0,0 +1,134 @@
+documentation_complete: true
+
+metadata:
+ SMEs:
+ - shaneboulden
+ - wcushen
+ - ahamilto156
+
+reference: https://www.cyber.gov.au/ism
+
+title: 'Australian Cyber Security Centre (ACSC) ISM Official'
+
+description: |-
+ This profile contains configuration checks for Red Hat Enterprise Linux 8
+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
+ with the applicability marking of OFFICIAL.
+
+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
+ Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
+ specific to an organisation's security posture and risk profile.
+
+ A copy of the ISM can be found at the ACSC website:
+
+ https://www.cyber.gov.au/ism
+
+extends: e8
+
+selections:
+
+ ## Operating system configuration
+ ## Identifiers 1491
+ - no_shelllogin_for_systemaccounts
+
+ ## Local administrator accounts
+ ## Identifiers 1382 / 1410
+ - accounts_password_all_shadowed
+ - package_sudo_installed
+
+ ## Content filtering & Anti virus
+ ## Identifiers 0576 / 1341 / 1034 / 1417 / 1288
+ - package_aide_installed
+
+ ## Software firewall
+ ## Identifiers 1416
+# - configure_firewalld_ports # not supported in RHEL9 ATM
+ ## Removing due to build error
+ ## - configure_firewalld_rate_limiting
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
+ - set_firewalld_default_zone
+
+ ## Endpoint device control software
+ ## Identifiers 1418
+ - package_usbguard_installed
+ - service_usbguard_enabled
+
+ ## Authentication hardening
+ ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
+ ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+ - sshd_max_auth_tries_value=5
+ - disable_host_auth
+ - require_emergency_target_auth
+ - require_singleuser_auth
+ - sshd_disable_kerb_auth
+ - sshd_set_max_auth_tries
+
+ ## Password authentication & Protecting credentials
+ ## Identifiers 0421 / 0431 / 0418 / 1402
+ - var_password_pam_minlen=14
+ - var_accounts_password_warn_age_login_defs=7
+ - var_accounts_minimum_age_login_defs=1
+ - var_accounts_maximum_age_login_defs=60
+ - accounts_password_warn_age_login_defs
+ - accounts_maximum_age_login_defs
+ - accounts_minimum_age_login_defs
+ - accounts_passwords_pam_faillock_interval
+ - accounts_passwords_pam_faillock_unlock_time
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny_root
+ - accounts_password_pam_minlen
+
+ ## Centralised logging facility
+ ## Identifiers 1405 / 0988
+ - rsyslog_cron_logging
+ - rsyslog_files_groupownership
+ - rsyslog_files_ownership
+ - rsyslog_files_permissions
+ - rsyslog_nolisten
+ - rsyslog_remote_loghost
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
+ - package_chrony_installed
+ - service_chronyd_enabled
+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
+ - chronyd_specify_remote_server
+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
+
+ ## Events to be logged
+ ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957
+ - display_login_attempts
+ - sebool_auditadm_exec_content
+ - audit_rules_privileged_commands
+ - audit_rules_session_events
+ - audit_rules_unsuccessful_file_modification
+ - audit_access_failed
+ - audit_access_success
+
+ ## Web application & Database servers
+ ## Identifiers 1552 / 1277
+# - openssl_use_strong_entropy # not supported in RHEL9 ATM
+
+ ## Network design and configuration
+ ## Identifiers 1055 / 1311
+# - network_nmcli_permissions # not supported in RHEL9 ATM
+ - service_snmpd_disabled
+# - snmpd_use_newer_protocol # not supported in RHEL9 ATM
+
+ ## Wireless networks
+ ## Identifiers 1315
+ - wireless_disable_interfaces
+
+ ## ASD Approved Cryptographic Algorithms
+ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 /
+ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 /
+ ## 1372 / 1373 / 1374 / 1375
+# - enable_fips_mode # not supported in RHEL9 ATM
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+
+ ## Secure Shell access
+ ## Identifiers 0484 / 1506 / 1449 / 0487
+ - sshd_allow_only_protocol2
+ - sshd_enable_warning_banner
+ - sshd_disable_x11_forwarding
+ - file_permissions_sshd_private_key
diff --git a/rhel9/profiles/ospp-mls.profile b/rhel9/profiles/ospp-mls.profile
new file mode 100644
index 00000000000..d1d1b8aff73
--- /dev/null
+++ b/rhel9/profiles/ospp-mls.profile
@@ -0,0 +1,25 @@
+documentation_complete: false
+
+title: 'Protection Profile for General Purpose Operating Systems - MLS Mode'
+
+description: |-
+ Placeholder to put MLS specific rules
+
+extends: ospp
+
+selections:
+
+ ################################################
+ ## MUST INSTALL PACKAGES IN MLS MODE
+ #cups
+ #foomatic
+ #ghostscript
+ #ghostscript-fonts
+ #checkpolicy
+ #mcstrans
+ #policycoreutils-newrole
+ #selinux-policy-devel
+ ##xinetd
+ #iproute
+ #iputils
+ #netlabel_tools
diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile
new file mode 100644
index 00000000000..c4a43dc5eb6
--- /dev/null
+++ b/rhel9/profiles/ospp.profile
@@ -0,0 +1,444 @@
+documentation_complete: true
+
+metadata:
+ version: 4.2.1
+ SMEs:
+ - comps
+ - carlosmmatos
+ - stevegrubb
+
+reference: https://www.niap-ccevs.org/Profile/PP.cfm
+
+title: 'Protection Profile for General Purpose Operating Systems'
+
+description: |-
+ This profile reflects mandatory configuration controls identified in the
+ NIAP Configuration Annex to the Protection Profile for General Purpose
+ Operating Systems (Protection Profile Version 4.2.1).
+
+ This configuration profile is consistent with CNSSI-1253, which requires
+ U.S. National Security Systems to adhere to certain configuration
+ parameters. Accordingly, this configuration profile is suitable for
+ use in U.S. National Security Systems.
+
+selections:
+
+ #######################################################
+ ### GENERAL REQUIREMENTS
+ ### Things needed to meet OSPP functional requirements.
+ #######################################################
+
+ ### Partitioning
+ - mount_option_home_nodev
+ - mount_option_home_nosuid
+ - mount_option_tmp_nodev
+ - mount_option_tmp_noexec
+ - mount_option_tmp_nosuid
+ - partition_for_var_tmp
+ - mount_option_var_tmp_nodev
+ - mount_option_var_tmp_noexec
+ - mount_option_var_tmp_nosuid
+ - mount_option_dev_shm_nodev
+ - mount_option_dev_shm_noexec
+ - mount_option_dev_shm_nosuid
+ - mount_option_nodev_nonroot_local_partitions
+ - mount_option_boot_nodev
+ - mount_option_boot_nosuid
+ - partition_for_home
+ - partition_for_var
+ - mount_option_var_nodev
+ - partition_for_var_log
+ - mount_option_var_log_nodev
+ - mount_option_var_log_nosuid
+ - mount_option_var_log_noexec
+ - partition_for_var_log_audit
+ - mount_option_var_log_audit_nodev
+ - mount_option_var_log_audit_nosuid
+ - mount_option_var_log_audit_noexec
+
+ ### Services
+ # sshd
+ - sshd_disable_root_login
+ - sshd_enable_strictmodes
+ - disable_host_auth
+ - sshd_disable_empty_passwords
+ - sshd_disable_kerb_auth
+ - sshd_disable_gssapi_auth
+ - var_sshd_set_keepalive=0
+ - sshd_enable_warning_banner
+ - sshd_rekey_limit
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+# - sshd_use_strong_rng # not supported in RHEL9 ATM
+# - openssl_use_strong_entropy # not supported in RHEL9 ATM
+
+ # Time Server
+# - chronyd_client_only # not supported in RHEL9 ATM
+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM
+
+ ### Network Settings
+ - sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv4_tcp_syncookies
+
+ ### systemd
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
+
+ ### umask
+ - var_accounts_user_umask=027
+ - accounts_umask_etc_profile
+ - accounts_umask_etc_bashrc
+# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
+
+ ### Software update
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_local_packages
+ - ensure_gpgcheck_never_disabled
+
+ ### Passwords
+ - var_password_pam_difok=4
+ - accounts_password_pam_difok
+ - var_password_pam_maxrepeat=3
+ - accounts_password_pam_maxrepeat
+ - var_password_pam_maxclassrepeat=4
+ - accounts_password_pam_maxclassrepeat
+
+ ### Kernel Config
+ ## Boot prompt
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - grub2_slub_debug_argument
+ - grub2_page_poison_argument
+ - grub2_vsyscall_argument
+ - grub2_vsyscall_argument.role=unscored
+ - grub2_vsyscall_argument.severity=info
+ - grub2_pti_argument
+ - grub2_kernel_trust_cpu_rng
+
+ ## Security Settings
+ - sysctl_kernel_kptr_restrict
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_kexec_load_disabled
+ - sysctl_kernel_yama_ptrace_scope
+ - sysctl_kernel_perf_event_paranoid
+ - sysctl_user_max_user_namespaces
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
+ - sysctl_kernel_unprivileged_bpf_disabled
+ - sysctl_net_core_bpf_jit_harden
+ - service_kdump_disabled
+
+ ## File System Settings
+ - sysctl_fs_protected_hardlinks
+ - sysctl_fs_protected_symlinks
+
+ ### Audit
+ - service_auditd_enabled
+ - var_auditd_flush=incremental_async
+ - auditd_data_retention_flush
+ - auditd_local_events
+ - auditd_write_logs
+ - auditd_log_format
+ - auditd_freq
+ - auditd_name_format
+
+ ### Module Blacklist
+ - kernel_module_cramfs_disabled
+ - kernel_module_bluetooth_disabled
+ - kernel_module_sctp_disabled
+ - kernel_module_firewire-core_disabled
+ - kernel_module_atm_disabled
+ - kernel_module_can_disabled
+ - kernel_module_tipc_disabled
+
+ ### rpcbind
+
+ ### Install Required Packages
+ - package_aide_installed
+ - package_dnf-automatic_installed
+ - package_subscription-manager_installed
+# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
+ - package_firewalld_installed
+ - package_openscap-scanner_installed
+ - package_policycoreutils_installed
+ - package_sudo_installed
+ - package_usbguard_installed
+ - package_scap-security-guide_installed
+ - package_audit_installed
+ - package_crypto-policies_installed
+ - package_openssh-server_installed
+ - package_openssh-clients_installed
+ - package_policycoreutils-python-utils_installed
+ - package_rsyslog_installed
+ - package_rsyslog-gnutls_installed
+ - package_audispd-plugins_installed
+ - package_chrony_installed
+ - package_gnutls-utils_installed
+
+ ### Remove Prohibited Packages
+ - package_sendmail_removed
+ - package_iprutils_removed
+ - package_gssproxy_removed
+ - package_nfs-utils_removed
+ - package_krb5-workstation_removed
+ - package_abrt-addon-kerneloops_removed
+ - package_abrt-addon-python_removed
+ - package_abrt-addon-ccpp_removed
+ - package_abrt-plugin-rhtsupport_removed
+ - package_abrt-plugin-logger_removed
+ - package_abrt-plugin-sosreport_removed
+ - package_abrt-cli_removed
+ - package_abrt_removed
+
+ ### Login
+ - disable_users_coredumps
+ - sysctl_kernel_core_pattern
+# - coredump_disable_storage
+# - coredump_disable_backtraces
+ - service_systemd-coredump_disabled
+ - var_accounts_max_concurrent_login_sessions=10
+ - accounts_max_concurrent_login_sessions
+ - securetty_root_login_console_only
+ - var_password_pam_unix_remember=5
+ - accounts_password_pam_unix_remember
+# - use_pam_wheel_for_su # not supported in RHEL9 ATM
+
+ ### SELinux Configuration
+ - var_selinux_state=enforcing
+ - selinux_state
+ - var_selinux_policy_name=targeted
+ - selinux_policytype
+
+ ### Application Whitelisting (RHEL 9)
+ - package_fapolicyd_installed
+ - service_fapolicyd_enabled
+
+ ### Configure USBGuard
+ - service_usbguard_enabled
+ - configure_usbguard_auditbackend
+ - usbguard_allow_hid_and_hub
+
+
+ ### Enable / Configure FIPS
+# - enable_fips_mode # not supported in RHEL9 ATM
+ - var_system_crypto_policy=fips_ospp
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_openssl_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_kerberos_crypto_policy
+# - enable_dracut_fips_module # not supported in RHEL9 ATM
+
+ #######################################################
+ ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE
+ ### FOR GENERAL PURPOSE OPERATING SYSTEMS
+ ### ANNEX RELEASE 1
+ ### FOR PROTECTION PROFILE VERSIONS 4.2
+ ###
+ ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/
+ #######################################################
+
+ ## Configure Minimum Password Length to 12 Characters
+ ## IA-5 (1)(a) / FMT_MOF_EXT.1
+ - var_accounts_password_minlen_login_defs=12
+ - accounts_password_minlen_login_defs
+ - var_password_pam_minlen=12
+ - accounts_password_pam_minlen
+
+ ## Require at Least 1 Special Character in Password
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
+ - var_password_pam_ocredit=1
+ - accounts_password_pam_ocredit
+
+ ## Require at Least 1 Numeric Character in Password
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
+ - var_password_pam_dcredit=1
+ - accounts_password_pam_dcredit
+
+ ## Require at Least 1 Uppercase Character in Password
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
+ - var_password_pam_ucredit=1
+ - accounts_password_pam_ucredit
+
+ ## Require at Least 1 Lowercase Character in Password
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
+ - var_password_pam_lcredit=1
+ - accounts_password_pam_lcredit
+
+ ## Enable Screen Lock
+ ## FMT_MOF_EXT.1
+ - package_tmux_installed
+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM
+# - no_tmux_in_shells # not supported in RHEL9 ATM
+# - configure_tmux_lock_command # not supported in RHEL9 ATM
+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM
+
+ ## Set Screen Lock Timeout Period to 30 Minutes or Less
+ ## AC-11(a) / FMT_MOF_EXT.1
+ ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
+ - sshd_idle_timeout_value=14_minutes
+ - sshd_set_idle_timeout
+
+ ## Disable Unauthenticated Login (such as Guest Accounts)
+ ## FIA_UAU.1
+ - require_singleuser_auth
+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM
+# - grub2_uefi_password # not supported in RHEL9 ATM
+ - no_empty_passwords
+
+ ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes
+ ## AC-7 / FIA_AFL.1
+ - var_accounts_passwords_pam_faillock_deny=3
+ - accounts_passwords_pam_faillock_deny
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - accounts_passwords_pam_faillock_interval
+ - var_accounts_passwords_pam_faillock_unlock_time=never
+ - accounts_passwords_pam_faillock_unlock_time
+
+ ## Enable Host-Based Firewall
+ ## SC-7(12) / FMT_MOF_EXT.1
+ - service_firewalld_enabled
+
+ ## Configure Name/Addres of Remote Management Server
+ ## From Which to Receive Config Settings
+ ## CM-3(3) / FMT_MOF_EXT.1
+
+ ## Configure the System to Offload Audit Records to a Log
+ ## Server
+ ## AU-4(1) / FAU_GEN.1.1.c
+ # temporarily dropped
+
+ ## Set Logon Warning Banner
+ ## AC-8(a) / FMT_MOF_EXT.1
+
+ ## Audit All Logons (Success/Failure) and Logoffs (Success)
+ ## CNSSI 1253 Value or DoD-Specific Values:
+ ## (1) Logons (Success/Failure)
+ ## (2) Logoffs (Success)
+ ## AU-2(a) / FAU_GEN.1.1.c
+
+ ## Audit File and Object Events (Unsuccessful)
+ ## CNSSI 1253 Value or DoD-specific Values:
+ ## (1) Create (Success/Failure)
+ ## (2) Access (Success/Failure)
+ ## (3) Delete (Sucess/Failure)
+ ## (4) Modify (Success/Failure)
+ ## (5) Permission Modification (Sucess/Failure)
+ ## (6) Ownership Modification (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ ##
+ ##
+ ## (1) Create (Success/Failure)
+ ## (open with O_CREAT)
+ ## (2) Access (Success/Failure)
+ ## (3) Delete (Success/Failure)
+ ## (4) Modify (Success/Failure)
+ ## (5) Permission Modification (Success/Failure)
+ ## (6) Ownership Modification (Success/Failure)
+
+ ## Audit User and Group Management Events (Success/Failure)
+ ## CNSSI 1253 Value or DoD-specific Values:
+ ## (1) User add, delete, modify, disable, enable (Success/Failure)
+ ## (2) Group/Role add, delete, modify (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ ##
+ ## Generic User and Group Management Events (Success/Failure)
+ ## Selection of setuid programs that relate to
+ ## user accounts.
+ ##
+ ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure)
+ ##
+ ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure)
+ ##
+ ## Audit Privilege or Role Escalation Events (Success/Failure)
+ ## CNSSI 1253 Value or DoD-specific Values:
+ ## - Privilege/Role escalation (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ ## Audit All Audit and Log Data Accesses (Success/Failure)
+ ## CNSSI 1253 Value or DoD-specific Values:
+ ## - Audit and log data access (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ ## Audit Cryptographic Verification of Software (Success/Failure)
+ ## CNSSI 1253 Value or DoD-specific Values:
+ ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite,
+ ## etc) initialization (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
+ ## AU-2(a) / FAU_GEN.1.1.c
+ - audit_basic_configuration
+ - audit_immutable_login_uids
+ - audit_create_failed
+ - audit_create_success
+ - audit_modify_failed
+ - audit_modify_success
+ - audit_access_failed
+ - audit_access_success
+ - audit_delete_failed
+ - audit_delete_success
+ - audit_perm_change_failed
+ - audit_perm_change_success
+ - audit_owner_change_failed
+ - audit_owner_change_success
+ - audit_ospp_general
+ - audit_module_load
+
+ ## Enable Automatic Software Updates
+ ## SI-2 / FMT_MOF_EXT.1
+ # Configure dnf-automatic to Install Only Security Updates
+ - dnf-automatic_security_updates_only
+
+ # Configure dnf-automatic to Install Available Updates Automatically
+ - dnf-automatic_apply_updates
+
+ # Enable dnf-automatic Timer
+ - timer_dnf-automatic_enabled
+
+ # Configure TLS for remote logging
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
+
+ # Prevent Kerberos use by system daemons
+ - kerberos_disable_no_keytab
+
+ # set ssh client rekey limit
+# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
+
+# configure ssh client to use strong entropy
+# - ssh_client_use_strong_rng_sh # not supported in RHEL9 ATM
+# - ssh_client_use_strong_rng_csh # not supported in RHEL9 ATM
+
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
+ - zipl_audit_argument
+ - zipl_audit_backlog_limit_argument
+ - zipl_slub_debug_argument
+ - zipl_page_poison_argument
+ - zipl_vsyscall_argument
+ - zipl_vsyscall_argument.role=unscored
+ - zipl_vsyscall_argument.severity=info
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
index 3ad218b5a0d..966b2d5e1d8 100644
--- a/rhel9/profiles/pci-dss.profile
+++ b/rhel9/profiles/pci-dss.profile
@@ -6,14 +6,142 @@ metadata:
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9'
+title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
description: |-
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
selections:
- # selections are empty because almost no rules are applicable for RHEL9
- - package_rsyslog_installed
+ - var_password_pam_unix_remember=4
+ - var_account_disable_post_pw_expiration=90
+ - var_accounts_passwords_pam_faillock_deny=6
+ - var_accounts_passwords_pam_faillock_unlock_time=1800
+ - sshd_idle_timeout_value=15_minutes
+ - var_password_pam_minlen=7
+ - var_password_pam_minclass=2
+ - var_accounts_maximum_age_login_defs=90
+ - var_auditd_num_logs=5
+ - service_auditd_enabled
+ - grub2_audit_argument
+ - auditd_data_retention_num_logs
+ - auditd_data_retention_max_log_file
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_space_left_action
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_action_mail_acct
+ - package_audispd-plugins_installed
+ - auditd_audispd_syslog_plugin_activated
+ - audit_rules_time_adjtimex
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_clock_settime
+ - audit_rules_time_watch_localtime
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
+ - audit_rules_networkconfig_modification
+ - file_permissions_var_log_audit
+ - file_ownership_var_log_audit
+ - audit_rules_mac_modification
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_login_events
+ - audit_rules_session_events
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_truncate
+ - audit_rules_privileged_commands
+ - audit_rules_media_export
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_rmdir
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+ - audit_rules_sysadmin_actions
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_finit
+ - audit_rules_kernel_module_loading_init
+ - audit_rules_immutable
+ - var_multiple_time_servers=rhel
+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
+# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM
+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
+ - rpm_verify_permissions
+ - rpm_verify_hashes
+# - install_hids # not supported in RHEL9 ATM
- rsyslog_files_permissions
- rsyslog_files_ownership
- rsyslog_files_groupownership
+ - ensure_logrotate_activated
+ - package_aide_installed
+ - aide_build_database
+ - aide_periodic_cron_checking
+ - account_unique_name
+ - gid_passwd_group_same
+ - accounts_password_all_shadowed
+ - no_empty_passwords
+ - display_login_attempts
+ - account_disable_post_pw_expiration
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_unlock_time
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM
+ - sshd_set_idle_timeout
+ - var_sshd_set_keepalive=0
+ - accounts_password_pam_minlen
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_unix_remember
+ - accounts_maximum_age_login_defs
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - security_patches_up_to_date
+ - package_opensc_installed
+ - var_smartcard_drivers=cac
+# - configure_opensc_card_drivers # not supported in RHEL9 ATM
+# - force_opensc_card_drivers # not supported in RHEL9 ATM
+# - package_pcsc-lite_installed # not supported in RHEL9 ATM
+# - service_pcscd_enabled # not supported in RHEL9 ATM
+# - sssd_enable_smartcards # not supported in RHEL9 ATM
+ - set_password_hashing_algorithm_systemauth
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+ - file_owner_etc_group
+ - file_groupowner_etc_group
+ - file_permissions_etc_group
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
+ - file_permissions_etc_passwd
+ - file_owner_grub2_cfg
+ - file_groupowner_grub2_cfg
+ - package_libreswan_installed
+ - configure_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_openssl_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_ssh_crypto_policy
+ - configure_kerberos_crypto_policy
diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
new file mode 100644
index 00000000000..3b734c2b2c5
--- /dev/null
+++ b/rhel9/profiles/rht-ccp.profile
@@ -0,0 +1,100 @@
+documentation_complete: true
+
+title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
+
+description: |-
+ This profile contains the minimum security relevant
+ configuration settings recommended by Red Hat, Inc for
+ Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
+ Cloud Providers.
+
+selections:
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+ - file_owner_logfiles_value=root
+ - file_groupowner_logfiles_value=root
+ - sshd_idle_timeout_value=5_minutes
+ - var_accounts_password_minlen_login_defs=6
+ - var_accounts_minimum_age_login_defs=7
+ - var_accounts_passwords_pam_faillock_deny=5
+ - var_accounts_password_warn_age_login_defs=7
+ - var_password_pam_retry=3
+ - var_password_pam_dcredit=1
+ - var_password_pam_ucredit=2
+ - var_password_pam_ocredit=2
+ - var_password_pam_lcredit=2
+ - var_password_pam_difok=3
+ - var_password_pam_unix_remember=5
+ - var_accounts_user_umask=077
+ - login_banner_text=usgcb_default
+ - partition_for_tmp
+ - partition_for_var
+ - partition_for_var_log
+ - partition_for_var_log_audit
+ - selinux_state
+ - selinux_policytype
+ - ensure_redhat_gpgkey_installed
+ - security_patches_up_to_date
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_never_disabled
+ - package_aide_installed
+ - accounts_password_pam_unix_remember
+ - no_shelllogin_for_systemaccounts
+ - no_empty_passwords
+ - accounts_password_all_shadowed
+ - accounts_no_uid_except_zero
+ - accounts_password_minlen_login_defs
+ - accounts_minimum_age_login_defs
+ - accounts_password_warn_age_login_defs
+ - accounts_password_pam_retry
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_difok
+ - accounts_passwords_pam_faillock_deny
+ - set_password_hashing_algorithm_systemauth
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
+ - require_singleuser_auth
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+ - file_owner_etc_gshadow
+ - file_groupowner_etc_gshadow
+ - file_permissions_etc_gshadow
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
+ - file_permissions_etc_passwd
+ - file_owner_etc_group
+ - file_groupowner_etc_group
+ - file_permissions_etc_group
+ - file_permissions_library_dirs
+ - file_ownership_library_dirs
+ - file_permissions_binary_dirs
+ - file_ownership_binary_dirs
+ - file_permissions_var_log_audit
+ - file_owner_grub2_cfg
+ - file_groupowner_grub2_cfg
+ - file_permissions_grub2_cfg
+ - grub2_password
+ - kernel_module_dccp_disabled
+ - kernel_module_sctp_disabled
+ - service_firewalld_enabled
+ - set_firewalld_default_zone
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
+ - service_abrtd_disabled
+ - service_telnet_disabled
+ - package_telnet-server_removed
+ - package_telnet_removed
+ - sshd_allow_only_protocol2
+ - sshd_set_idle_timeout
+ - var_sshd_set_keepalive=0
+ - disable_host_auth
+ - sshd_disable_root_login
+ - sshd_disable_empty_passwords
+ - sshd_enable_warning_banner
+ - sshd_do_not_permit_user_env
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
new file mode 100644
index 00000000000..a63ae2cf328
--- /dev/null
+++ b/rhel9/profiles/standard.profile
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
+
+description: |-
+ This profile contains rules to ensure standard security baseline
+ of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload
+ all of these checks should pass.
+
+selections:
+ - ensure_redhat_gpgkey_installed
+ - ensure_gpgcheck_globally_activated
+ - rpm_verify_permissions
+ - rpm_verify_hashes
+ - security_patches_up_to_date
+ - no_empty_passwords
+ - file_permissions_unauthorized_sgid
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_world_writable
+ - accounts_root_path_dirs_no_write
+ - dir_perms_world_writable_sticky_bits
+ - mount_option_dev_shm_nodev
+ - mount_option_dev_shm_nosuid
+ - partition_for_var_log
+ - partition_for_var_log_audit
+ - package_rsyslog_installed
+ - service_rsyslog_enabled
+ - audit_rules_time_adjtimex
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_clock_settime
+ - audit_rules_time_watch_localtime
+ - audit_rules_usergroup_modification
+ - audit_rules_networkconfig_modification
+ - audit_rules_mac_modification
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_unsuccessful_file_modification
+ - audit_rules_privileged_commands
+ - audit_rules_media_export
+ - audit_rules_file_deletion_events
+ - audit_rules_sysadmin_actions
+ - audit_rules_kernel_module_loading
+ - service_abrtd_disabled
+ - service_atd_disabled
+ - service_autofs_disabled
+ - service_ntpdate_disabled
+ - service_oddjobd_disabled
+ - service_qpidd_disabled
+ - service_rdisc_disabled
+ - configure_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_openssl_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_ssh_crypto_policy
+ - configure_kerberos_crypto_policy
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
new file mode 100644
index 00000000000..50548f7e8eb
--- /dev/null
+++ b/rhel9/profiles/stig.profile
@@ -0,0 +1,1069 @@
+documentation_complete: true
+
+metadata:
+ version: V1R2
+ SMEs:
+ - carlosmmatos
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG for Red Hat Enterprise Linux 8'
+
+description: |-
+ This profile contains configuration checks that align to the
+ DISA STIG for Red Hat Enterprise Linux 8 V1R2.
+
+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
+
+ - Red Hat Enterprise Linux Server
+ - Red Hat Enterprise Linux Workstation and Desktop
+ - Red Hat Enterprise Linux for HPC
+ - Red Hat Storage
+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image
+
+selections:
+ ### Variables
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - var_accounts_user_umask=077
+ - var_password_pam_difok=8
+ - var_password_pam_maxrepeat=3
+ - var_sshd_disable_compression=no
+ - var_password_hashing_algorithm=SHA512
+ - var_password_pam_maxclassrepeat=4
+ - var_password_pam_minclass=4
+ - var_accounts_minimum_age_login_defs=1
+ - var_accounts_max_concurrent_login_sessions=10
+ - var_password_pam_unix_remember=5
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+ - var_accounts_password_minlen_login_defs=15
+ - var_password_pam_unix_rounds=5000
+ - var_password_pam_minlen=15
+ - var_password_pam_ocredit=1
+ - var_password_pam_dcredit=1
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - var_password_pam_retry=3
+ - var_password_pam_minlen=15
+ - var_sshd_set_keepalive=0
+ - sshd_idle_timeout_value=10_minutes
+ - var_accounts_passwords_pam_faillock_deny=3
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - var_accounts_passwords_pam_faillock_unlock_time=never
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
+ - var_accounts_fail_delay=4
+ - var_account_disable_post_pw_expiration=35
+ - var_auditd_action_mail_acct=root
+ - var_time_service_set_maxpoll=18_hours
+ - var_accounts_maximum_age_login_defs=60
+ - var_auditd_space_left=250MB
+ - var_auditd_space_left_action=email
+ - var_auditd_disk_error_action=halt
+ - var_auditd_max_log_file_action=syslog
+ - var_auditd_disk_full_action=halt
+
+ ### Enable / Configure FIPS
+# - enable_fips_mode # not supported in RHEL9 ATM
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_kerberos_crypto_policy
+# - enable_dracut_fips_module # not supported in RHEL9 ATM
+
+ ### Rules:
+ # RHEL-08-010070
+ - installed_OS_is_vendor_supported
+
+ # RHEL-08-010010
+ - security_patches_up_to_date
+
+ # RHEL-08-010020
+ - sysctl_crypto_fips_enabled
+
+ # RHEL-08-010030
+ - encrypt_partitions
+
+ # RHEL-08-010040
+ - sshd_enable_warning_banner
+
+ # RHEL-08-010050
+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM
+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM
+
+ # RHEL-08-010060
+ - banner_etc_issue
+
+ # RHEL-08-010070
+
+ # RHEL-08-010090
+
+ # RHEL-08-010100
+
+ # RHEL-08-010110
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
+
+ # RHEL-08-010120
+
+ # RHEL-08-010130
+ - accounts_password_pam_unix_rounds_system_auth
+ - accounts_password_pam_unix_rounds_password_auth
+
+ # RHEL-08-010140
+# - grub2_uefi_password # not supported in RHEL9 ATM
+# - grub2_uefi_admin_username # not supported in RHEL9 ATM
+
+ # RHEL-08-010150
+ - grub2_password
+# - grub2_admin_username # not supported in RHEL9 ATM
+
+ # RHEL-08-010151
+ - require_singleuser_auth
+ - require_emergency_target_auth
+
+ # RHEL-08-010152
+ # To be released in V1R3
+ # - require_emergency_target_auth
+
+ # RHEL-08-010160
+ - set_password_hashing_algorithm_systemauth
+
+ # RHEL-08-010161
+ - kerberos_disable_no_keytab
+
+ # RHEL-08-010162
+ - package_krb5-workstation_removed
+
+ # RHEL-08-010170
+ - selinux_state
+
+ # RHEL-08-010171
+ - package_policycoreutils_installed
+
+ # RHEL-08-010180
+
+ # RHEL-08-010190
+ - dir_perms_world_writable_sticky_bits
+
+ # RHEL-08-010200
+ - sshd_set_idle_timeout
+
+ # RHEL-08-010210
+ - file_permissions_var_log_messages
+
+ # RHEL-08-010220
+ - file_owner_var_log_messages
+
+ # RHEL-08-010230
+ - file_groupowner_var_log_messages
+
+ # RHEL-08-010240
+ - file_permissions_var_log
+
+ # RHEL-08-010250
+ - file_owner_var_log
+
+ # RHEL-08-010260
+ - file_groupowner_var_log
+
+ # RHEL-08-010290 && RHEL-08-010291
+ ### NOTE: This will get split out in future STIG releases, as well as we will break
+ ### these rules up to be more flexible in meeting the requirements.
+ - configure_ssh_crypto_policy
+
+ # RHEL-08-010292
+# - sshd_use_strong_rng # not supported in RHEL9 ATM
+
+ # RHEL-08-010293
+ - configure_openssl_crypto_policy
+
+ # RHEL-08-010294
+ - configure_openssl_tls_crypto_policy
+
+ # RHEL-08-010295
+# - configure_gnutls_tls_crypto_policy # not supported in RHEL9 ATM
+
+ # RHEL-08-010300
+ - file_permissions_binary_dirs
+
+ # RHEL-08-010310
+ - file_ownership_binary_dirs
+
+ # RHEL-08-010320
+
+ # RHEL-08-010330
+ - file_permissions_library_dirs
+
+ # RHEL-08-010340
+ - file_ownership_library_dirs
+
+ # RHEL-08-010350
+
+ # RHEL-08-010360
+ - package_aide_installed
+ - aide_scan_notification
+
+ # RHEL-08-010370
+ - ensure_gpgcheck_globally_activated
+
+ # RHEL-08-010371
+ - ensure_gpgcheck_local_packages
+
+ # RHEL-08-010372
+ - sysctl_kernel_kexec_load_disabled
+
+ # RHEL-08-010373
+ - sysctl_fs_protected_symlinks
+
+ # RHEL-08-010374
+ - sysctl_fs_protected_hardlinks
+
+ # RHEL-08-010375
+ - sysctl_kernel_dmesg_restrict
+
+ # RHEL-08-010376
+ - sysctl_kernel_perf_event_paranoid
+
+ # RHEL-08-010380
+ - sudo_remove_nopasswd
+
+ # RHEL-08-010381
+ - sudo_remove_no_authenticate
+
+ # RHEL-08-010382
+ - sudo_restrict_privilege_elevation_to_authorized
+
+ # RHEL-08-010383
+ - sudoers_validate_passwd
+
+ # RHEL-08-010390
+ - install_smartcard_packages
+
+ # RHEL-08-010400
+
+ # RHEL-08-010410
+ - package_opensc_installed
+
+ # RHEL-08-010420
+
+ # RHEL-08-010421
+ - grub2_page_poison_argument
+
+ # RHEL-08-010422
+ - grub2_vsyscall_argument
+
+ # RHEL-08-010423
+ - grub2_slub_debug_argument
+
+ # RHEL-08-010430
+ - sysctl_kernel_randomize_va_space
+
+ # RHEL-08-010440
+ - clean_components_post_updating
+
+ # RHEL-08-010450
+ - selinux_policytype
+
+ # RHEL-08-010460
+# - no_host_based_files # not supported in RHEL9 ATM
+
+ # RHEL-08-010470
+# - no_user_host_based_files # not supported in RHEL9 ATM
+
+ # RHEL-08-010471
+ - service_rngd_enabled
+ - package_rng-tools_installed
+
+ # RHEL-08-010480
+ - file_permissions_sshd_pub_key
+
+ # RHEL-08-010490
+ - file_permissions_sshd_private_key
+
+ # RHEL-08-010500
+ - sshd_enable_strictmodes
+
+ # RHEL-08-010510
+ - sshd_disable_compression
+
+ # RHEL-08-010520
+ - sshd_disable_user_known_hosts
+
+ # RHEL-08-010521
+ - sshd_disable_kerb_auth
+ - sshd_disable_gssapi_auth
+
+ # RHEL-08-010540
+ - partition_for_var
+
+ # RHEL-08-010541
+ - partition_for_var_log
+
+ # RHEL-08-010542
+ - partition_for_var_log_audit
+
+ # RHEL-08-010543
+ - partition_for_tmp
+
+ # RHEL-08-010544
+ ### NOTE: Will probably show up in V1R3 - Q3 of 21'
+ - partition_for_var_tmp
+
+ # RHEL-08-010550
+ - sshd_disable_root_login
+
+ # RHEL-08-010560
+ - service_auditd_enabled
+
+ # RHEL-08-010561
+ - service_rsyslog_enabled
+
+ # RHEL-08-010570
+ - mount_option_home_nosuid
+
+ # RHEL-08-010571
+ - mount_option_boot_nosuid
+
+ # RHEL-08-010580
+ - mount_option_nodev_nonroot_local_partitions
+
+ # RHEL-08-010590
+
+ # RHEL-08-010600
+ - mount_option_nodev_removable_partitions
+
+ # RHEL-08-010610
+ - mount_option_noexec_removable_partitions
+
+ # RHEL-08-010620
+ - mount_option_nosuid_removable_partitions
+
+ # RHEL-08-010630
+ - mount_option_noexec_remote_filesystems
+
+ # RHEL-08-010640
+ - mount_option_nodev_remote_filesystems
+
+ # RHEL-08-010650
+ - mount_option_nosuid_remote_filesystems
+
+ # RHEL-08-010660
+# - accounts_user_dot_no_world_writable_programs # not supported in RHEL9 ATM
+
+ # RHEL-08-010670
+ - service_kdump_disabled
+
+ # RHEL-08-010671
+ - sysctl_kernel_core_pattern
+
+ # RHEL-08-010672
+ - service_systemd-coredump_disabled
+
+ # RHEL-08-010673
+ - disable_users_coredumps
+
+ # RHEL-08-010674
+# - coredump_disable_storage
+
+ # RHEL-08-010675
+# - coredump_disable_backtraces
+
+ # RHEL-08-010680
+# - network_configure_name_resolution # not supported in RHEL9 ATM
+
+ # RHEL-08-010690
+# - accounts_user_home_paths_only # not supported in RHEL9 ATM
+
+ # RHEL-08-010700
+ - dir_perms_world_writable_root_owned
+
+ # RHEL-08-010710
+
+ # RHEL-08-010720
+# - accounts_user_interactive_home_directory_defined # not supported in RHEL9 ATM
+
+ # RHEL-08-010730
+ - file_permissions_home_directories
+
+ # RHEL-08-010740
+ - file_groupownership_home_directories
+
+ # RHEL-08-010750
+ - accounts_user_interactive_home_directory_exists
+
+ # RHEL-08-010760
+# - accounts_have_homedir_login_defs # not supported in RHEL9 ATM
+
+ # RHEL-08-010770
+ - file_permission_user_init_files
+
+ # RHEL-08-010780
+ - no_files_unowned_by_user
+
+ # RHEL-08-010790
+ - file_permissions_ungroupowned
+
+ # RHEL-08-010800
+ - partition_for_home
+
+ # RHEL-08-010820
+# - gnome_gdm_disable_automatic_login # not supported in RHEL9 ATM
+
+ # RHEL-08-010830
+ - sshd_do_not_permit_user_env
+
+ # RHEL-08-020000
+# - account_temp_expire_date # not supported in RHEL9 ATM
+
+ # RHEL-08-020010
+ - accounts_passwords_pam_faillock_deny
+
+ # RHEL-08-020011
+
+ # RHEL-08-020012
+ - accounts_passwords_pam_faillock_interval
+
+ # RHEL-08-020013
+
+ # RHEL-08-020014
+ - accounts_passwords_pam_faillock_unlock_time
+
+ # RHEL-08-020015
+
+ # RHEL-08-020016
+
+ # RHEL-08-020017
+
+ # RHEL-08-020018
+
+ # RHEL-08-020019
+
+ # RHEL-08-020020
+
+ # RHEL-08-020021
+
+ # RHEL-08-020022
+ - accounts_passwords_pam_faillock_deny_root
+
+ # RHEL-08-020023
+
+ # RHEL-08-020024
+ - accounts_max_concurrent_login_sessions
+
+ # RHEL-08-020030
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
+
+ # RHEL-08-020040
+ - package_tmux_installed
+# - configure_tmux_lock_command # not supported in RHEL9 ATM
+
+ # RHEL-08-020041
+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM
+
+ # RHEL-08-020042
+# - no_tmux_in_shells # not supported in RHEL9 ATM
+
+ # RHEL-08-020050
+# - dconf_gnome_lock_screen_on_smartcard_removal # not supported in RHEL9 ATM
+
+ # RHEL-08-020060
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
+
+ # RHEL-08-020070
+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM
+
+ # RHEL-08-020080
+
+ # RHEL-08-020090
+
+ # RHEL-08-020100
+ - accounts_password_pam_retry
+
+ # RHEL-08-020110
+ - accounts_password_pam_ucredit
+
+ # RHEL-08-020120
+ - accounts_password_pam_lcredit
+
+ # RHEL-08-020130
+ - accounts_password_pam_dcredit
+
+ # RHEL-08-020140
+ - accounts_password_pam_maxclassrepeat
+
+ # RHEL-08-020150
+ - accounts_password_pam_maxrepeat
+
+ # RHEL-08-020160
+ - accounts_password_pam_minclass
+
+ # RHEL-08-020170
+ - accounts_password_pam_difok
+
+ # RHEL-08-020180
+# - accounts_password_set_min_life_existing # not supported in RHEL9 ATM
+
+ # RHEL-08-020190
+ - accounts_minimum_age_login_defs
+
+ # RHEL-08-020200
+ - accounts_maximum_age_login_defs
+
+ # RHEL-08-020210
+# - accounts_password_set_max_life_existing # not supported in RHEL9 ATM
+
+ # RHEL-08-020220
+ - accounts_password_pam_unix_remember
+
+ # RHEL-08-020230
+ - accounts_password_pam_minlen
+
+ # RHEL-08-020231
+ - accounts_password_minlen_login_defs
+
+ # RHEL-08-020240
+
+ # RHEL-08-020250
+# - sssd_enable_smartcards # not supported in RHEL9 ATM
+
+ # RHEL-08-020260
+ - account_disable_post_pw_expiration
+
+ # RHEL-08-020270
+
+ # RHEL-08-020280
+ - accounts_password_pam_ocredit
+
+ # RHEL-08-020290
+# - sssd_offline_cred_expiration # not supported in RHEL9 ATM
+
+ # RHEL-08-020300
+
+ # RHEL-08-020310
+ - accounts_logon_fail_delay
+
+ # RHEL-08-020320
+ # - accounts_authorized_local_users
+
+ # RHEL-08-020330
+ - no_empty_passwords
+ - sshd_disable_empty_passwords
+
+ # RHEL-08-020340
+ - display_login_attempts
+
+ # RHEL-08-020350
+ - sshd_print_last_log
+
+ # RHEL-08-020351
+ - accounts_umask_etc_login_defs
+
+ # RHEL-08-020352
+# - accounts_umask_interactive_users # not supported in RHEL9 ATM
+
+ # RHEL-08-020353
+ - accounts_umask_etc_bashrc
+
+ # RHEL-08-030000
+# - audit_rules_suid_privilege_function # not supported in RHEL9 ATM
+
+ # RHEL-08-030010
+ - rsyslog_cron_logging
+
+ # RHEL-08-030020
+ - auditd_data_retention_action_mail_acct
+
+ # RHEL-08-030030
+ - postfix_client_configure_mail_alias
+
+ # RHEL-08-030040
+ - auditd_data_disk_error_action
+
+ # RHEL-08-030050
+ - auditd_data_retention_max_log_file_action
+
+ # RHEL-08-030060
+ - auditd_data_disk_full_action
+
+ # RHEL-08-030061
+ - auditd_local_events
+
+ # RHEL-08-030062
+ - auditd_name_format
+
+ # RHEL-08-030063
+ - auditd_log_format
+
+ # RHEL-08-030070
+ - file_permissions_var_log_audit
+
+ # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110
+ ### NOTE: These might get broken up, but currently the following
+ ### rule accounts for these STIG ID's
+ - file_ownership_var_log_audit
+
+ # RHEL-08-030120
+ - directory_permissions_var_log_audit
+
+ # *** NOTE *** #
+ # Audit rules are currently under review as to how best to approach
+ # them. We are working with DISA and our internal audit experts to
+ # provide a final solution soon.
+ # ************ #
+
+ # RHEL-08-030121
+ # - audit_rules_immutable
+
+ # RHEL-08-030122
+ # - audit_immutable_login_uids
+
+ # RHEL-08-030130
+ # - audit_rules_usergroup_modification_shadow
+
+ # RHEL-08-030140
+ # - audit_rules_usergroup_modification_opasswd
+
+ # RHEL-08-030150
+ # - audit_rules_usergroup_modification_passwd
+
+ # RHEL-08-030160
+ # - audit_rules_usergroup_modification_gshadow
+
+ # RHEL-08-030170
+ # - audit_rules_usergroup_modification_group
+
+ # RHEL-08-030171, RHEL-08-030172
+ # - audit_rules_sysadmin_actions
+
+ # RHEL-08-030180
+ - package_audit_installed
+ - service_auditd_enabled
+
+ # RHEL-08-030190
+ # - audit_rules_privileged_commands_sudo
+
+ # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240
+ # - audit_perm_change_failed
+ # - audit_perm_change_success
+
+ # RHEL-08-030250
+ # - audit_rules_privileged_commands_chage
+
+ # RHEL-08-030260
+ # - audit_rules_execution_chcon
+
+ # RHEL-08-030270
+ # - audit_perm_change_failed
+ # - audit_perm_change_success
+
+ # RHEL-08-030280
+
+ # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301
+ # - audit_ospp_general
+
+ # RHEL-08-030302
+ # - audit_rules_media_export
+
+ # RHEL-08-030310
+
+ # RHEL-08-030311
+ # - audit_rules_privileged_commands_postdrop
+
+ # RHEL-08-030312
+ # - audit_rules_privileged_commands_postqueue
+
+ # RHEL-08-030313
+ # - audit_rules_execution_semanage
+
+ # RHEL-08-030314
+ # - audit_rules_execution_setfiles
+
+ # RHEL-08-030315
+ # - audit_ospp_general
+
+ # RHEL-08-030316
+ # - audit_rules_execution_setsebool
+
+ # RHEL-08-030317
+ # - audit_ospp_general
+
+ # RHEL-08-030320
+ # - audit_rules_privileged_commands_ssh_keysign
+
+ # RHEL-08-030330
+
+ # RHEL-08-030340
+ # - audit_rules_privileged_commands_pam_timestamp_check
+
+ # RHEL-08-030350
+ # - audit_ospp_general
+
+ # RHEL-08-030360
+ # - audit_module_load
+
+ # RHEL-08-030361, RHEL-08-030362
+ # - audit_delete_failed
+ # - audit_delete_success
+
+ # RHEL-08-030363
+
+ # RHEL-08-030364, RHEL-08-030365
+ # - audit_delete_failed
+ # - audit_delete_success
+
+ # RHEL-08-030370
+ # - audit_ospp_general
+
+ # RHEL-08-030380, RHEL-08-030390
+ # - audit_module_load
+
+ # RHEL-08-030400
+ # - audit_ospp_general
+
+ # RHEL-08-030410
+ # - audit_rules_privileged_commands_chsh
+
+ # RHEL-08-030420
+ # - audit_modify_failed
+ # - audit_modify_success
+
+ # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450
+ # - audit_create_failed
+ # - audit_create_success
+ # - audit_modify_failed
+ # - audit_modify_success
+ # - audit_access_failed
+ # - audit_access_success
+
+ # RHEL-08-030460
+ # - audit_modify_failed
+ # - audit_modify_success
+
+ # RHEL-08-030470
+ # - audit_create_failed
+ # - audit_create_success
+
+ # RHEL-08-030480
+ # - audit_owner_change_failed
+ # - audit_owner_change_success
+
+ # RHEL-08-030490
+ # - audit_perm_change_failed
+ # - audit_perm_change_success
+
+ # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520
+ # - audit_owner_change_failed
+ # - audit_owner_change_success
+
+ # RHEL-08-030530, RHEL-08-030540
+ # - audit_perm_change_failed
+ # - audit_perm_change_success
+
+ # RHEL-08-030550
+ # - audit_rules_privileged_commands_sudo
+
+ # RHEL-08-030560
+
+ # RHEL-08-030570
+
+ # RHEL-08-030580
+
+ # RHEL-08-030590
+ # - audit_rules_login_events_faillock
+
+ # RHEL-08-030600
+ # - audit_rules_login_events_lastlog
+
+ # RHEL-08-030601
+ - grub2_audit_argument
+
+ # RHEL-08-030602
+ - grub2_audit_backlog_limit_argument
+
+ # RHEL-08-030603
+ - configure_usbguard_auditbackend
+
+ # RHEL-08-030610
+
+ # RHEL-08-030620
+
+ # RHEL-08-030630
+
+ # RHEL-08-030640
+
+ # RHEL-08-030650
+
+ # RHEL-08-030660
+
+ # RHEL-08-030670
+ - package_rsyslog_installed
+
+ # RHEL-08-030680
+ - package_rsyslog-gnutls_installed
+
+ # RHEL-08-030690
+ - rsyslog_remote_loghost
+
+ # RHEL-08-030700
+
+ # RHEL-08-030710
+
+ # RHEL-08-030720
+
+ # RHEL-08-030730
+ # this rule expects configuration in MB instead percentage as how STIG demands
+ # - auditd_data_retention_space_left
+ - auditd_data_retention_space_left_action
+
+ # RHEL-08-030740
+ # remediation fails because default configuration file contains pool instead of server keyword
+# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM
+
+ # RHEL-08-030741
+# - chronyd_client_only # not supported in RHEL9 ATM
+
+ # RHEL-08-030742
+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM
+
+ # RHEL-08-040000
+ - package_telnet-server_removed
+
+ # RHEL-08-040001
+ - package_abrt_removed
+ - package_abrt-addon-ccpp_removed
+ - package_abrt-addon-kerneloops_removed
+ - package_abrt-addon-python_removed
+ - package_abrt-cli_removed
+ - package_abrt-plugin-logger_removed
+ - package_abrt-plugin-rhtsupport_removed
+ - package_abrt-plugin-sosreport_removed
+
+ # RHEL-08-040002
+ - package_sendmail_removed
+
+ # RHEL-08-040003
+ ### NOTE: Will be removed in V1R2, merged into RHEL-08-040370
+
+ # RHEL-08-040004
+ - grub2_pti_argument
+
+ # RHEL-08-040010
+ - package_rsh-server_removed
+
+ # RHEL-08-040020
+
+ # RHEL-08-040021
+ - kernel_module_atm_disabled
+
+ # RHEL-08-040022
+ - kernel_module_can_disabled
+
+ # RHEL-08-040023
+ - kernel_module_sctp_disabled
+
+ # RHEL-08-040024
+ - kernel_module_tipc_disabled
+
+ # RHEL-08-040025
+ - kernel_module_cramfs_disabled
+
+ # RHEL-08-040026
+ - kernel_module_firewire-core_disabled
+
+ # RHEL-08-040030
+# - configure_firewalld_ports # not supported in RHEL9 ATM
+
+ # RHEL-08-040060
+ ### NOTE: Will be removed in V1R2
+
+ # RHEL-08-040070
+ - service_autofs_disabled
+
+ # RHEL-08-040080
+ - kernel_module_usb-storage_disabled
+
+ # RHEL-08-040090
+
+ # RHEL-08-040100
+ - service_firewalld_enabled
+ - package_firewalld_installed
+
+ # RHEL-08-040110
+ - wireless_disable_interfaces
+
+ # RHEL-08-040111
+ - kernel_module_bluetooth_disabled
+
+ # RHEL-08-040120
+ - mount_option_dev_shm_nodev
+
+ # RHEL-08-040121
+ - mount_option_dev_shm_nosuid
+
+ # RHEL-08-040122
+ - mount_option_dev_shm_noexec
+
+ # RHEL-08-040123
+ - mount_option_tmp_nodev
+
+ # RHEL-08-040124
+ - mount_option_tmp_nosuid
+
+ # RHEL-08-040125
+ - mount_option_tmp_noexec
+
+ # RHEL-08-040126
+ - mount_option_var_log_nodev
+
+ # RHEL-08-040127
+ - mount_option_var_log_nosuid
+
+ # RHEL-08-040128
+ - mount_option_var_log_noexec
+
+ # RHEL-08-040129
+ - mount_option_var_log_audit_nodev
+
+ # RHEL-08-040130
+ - mount_option_var_log_audit_nosuid
+
+ # RHEL-08-040131
+ - mount_option_var_log_audit_noexec
+
+ # RHEL-08-040132
+ - mount_option_var_tmp_nodev
+
+ # RHEL-08-040133
+ - mount_option_var_tmp_nosuid
+
+ # RHEL-08-040134
+ - mount_option_var_tmp_noexec
+
+ # RHEL-08-040135
+ - package_fapolicyd_installed
+ - service_fapolicyd_enabled
+
+ # RHEL-08-040140
+ - package_usbguard_installed
+ - service_usbguard_enabled
+
+ # RHEL-08-040150
+
+ # RHEL-08-040160
+ - package_openssh-server_installed
+ - service_sshd_enabled
+
+ # RHEL-08-040161
+ - sshd_rekey_limit
+
+ # RHEL-08-040162
+# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+
+ # RHEL-08-040170
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
+
+ # RHEL-08-040171
+# - dconf_gnome_disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
+
+ # RHEL-08-040172
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+
+ # RHEL-08-040180
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
+
+ # RHEL-08-040190
+ - package_tftp-server_removed
+
+ # RHEL-08-040200
+ - accounts_no_uid_except_zero
+
+ # RHEL-08-040210
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects
+
+ # RHEL-08-040220
+ - sysctl_net_ipv4_conf_all_send_redirects
+
+ # RHEL-08-040230
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+ # RHEL-08-040240
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route
+
+ # RHEL-08-040250
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route
+
+ # RHEL-08-040260
+ - sysctl_net_ipv4_ip_forward
+
+ # RHEL-08-040261
+ - sysctl_net_ipv6_conf_all_accept_ra
+
+ # RHEL-08-040262
+ - sysctl_net_ipv6_conf_default_accept_ra
+
+ # RHEL-08-040270
+ - sysctl_net_ipv4_conf_default_send_redirects
+
+ # RHEL-08-040280
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects
+
+ # RHEL-08-040281
+ - sysctl_kernel_unprivileged_bpf_disabled
+
+ # RHEL-08-040282
+ - sysctl_kernel_yama_ptrace_scope
+
+ # RHEL-08-040283
+ - sysctl_kernel_kptr_restrict
+
+ # RHEL-08-040284
+ - sysctl_user_max_user_namespaces
+
+ # RHEL-08-040285
+ - sysctl_net_ipv4_conf_all_rp_filter
+
+ # RHEL-08-040290
+ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
+ # there needs to be a new platform check to identify when postfix is installed or not
+ # - postfix_prevent_unrestricted_relay
+
+ # RHEL-08-040300
+ - aide_verify_ext_attributes
+
+ # RHEL-08-040310
+ - aide_verify_acls
+
+ # RHEL-08-040320
+ - xwindows_remove_packages
+
+ # RHEL-08-040330
+ - network_sniffer_disabled
+
+ # RHEL-08-040340
+ - sshd_disable_x11_forwarding
+
+ # RHEL-08-040341
+# - sshd_x11_use_localhost # not supported in RHEL9 ATM
+
+ # RHEL-08-040350
+# - tftpd_uses_secure_mode # not supported in RHEL9 ATM
+
+ # RHEL-08-040360
+ - package_vsftpd_removed
+
+ # RHEL-08-040370
+ - package_gssproxy_removed
+
+ # RHEL-08-040380
+ - package_iprutils_removed
+
+ # RHEL-08-040390
+ - package_tuned_removed
diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile
new file mode 100644
index 00000000000..ff9a2833df8
--- /dev/null
+++ b/rhel9/profiles/stig_gui.profile
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+metadata:
+ version: V1R2
+ SMEs:
+ - carlosmmatos
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
+
+description: |-
+ This profile contains configuration checks that align to the
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
+
+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+ configuration baseline as applicable to the operating system tier of
+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
+
+ - Red Hat Enterprise Linux Server
+ - Red Hat Enterprise Linux Workstation and Desktop
+ - Red Hat Enterprise Linux for HPC
+ - Red Hat Storage
+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image
+
+ Warning: The installation and use of a Graphical User Interface (GUI)
+ increases your attack vector and decreases your overall security posture. If
+ your Information Systems Security Officer (ISSO) lacks a documented operational
+ requirement for a graphical user interface, please consider using the
+ standard DISA STIG for Red Hat Enterprise Linux 8 profile.
+
+extends: stig
+
+selections:
+ # RHEL-08-040320
+ - '!xwindows_remove_packages'
From 5c5a4500a92ebd32078cf05b2b3eb24a9f58f285 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 10 Jun 2021 19:48:13 +0200
Subject: [PATCH 2/4] Added note that the profile is a RHEL9 draft.
---
rhel9/profiles/cis.profile | 10 +++-------
rhel9/profiles/cjis.profile | 2 +-
rhel9/profiles/e8.profile | 4 ++--
rhel9/profiles/hipaa.profile | 4 ++--
rhel9/profiles/ism_o.profile | 4 ++--
rhel9/profiles/ospp.profile | 2 +-
rhel9/profiles/pci-dss.profile | 2 +-
rhel9/profiles/rht-ccp.profile | 4 ++--
rhel9/profiles/standard.profile | 2 +-
rhel9/profiles/stig.profile | 7 +++----
rhel9/profiles/stig_gui.profile | 13 ++++++-------
11 files changed, 24 insertions(+), 30 deletions(-)
diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile
index 8939011ad1f..7cc538f82ce 100644
--- a/rhel9/profiles/cis.profile
+++ b/rhel9/profiles/cis.profile
@@ -1,21 +1,17 @@
documentation_complete: true
metadata:
- version: 1.0.0
+ version: 0.0.0
SMEs:
- vojtapolasek
- yuumasato
reference: https://www.cisecurity.org/benchmark/red_hat_linux/
-title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark'
description: |-
- This profile defines a baseline that aligns to the Center for Internet Security®
- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
-
- This profile includes Center for Internet Security®
- Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+ This is a draft CIS profile based on the RHEL8 CIS
selections:
# Necessary for dconf rules
diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
index 1fc531952b6..3c9c385cd48 100644
--- a/rhel9/profiles/cjis.profile
+++ b/rhel9/profiles/cjis.profile
@@ -7,7 +7,7 @@ metadata:
reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
-title: 'Criminal Justice Information Services (CJIS) Security Policy'
+title: '[RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security Policy'
description: |-
This profile is derived from FBI's CJIS v5.4
diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile
index 30eb9c594ac..6d87a778eee 100644
--- a/rhel9/profiles/e8.profile
+++ b/rhel9/profiles/e8.profile
@@ -6,10 +6,10 @@ metadata:
reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
-title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
+title: '[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight'
description: |-
- This profile contains configuration checks for Red Hat Enterprise Linux 8
+ This profile contains configuration checks for Red Hat Enterprise Linux 9
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the
diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile
index 7919649d4d5..1bd7cc10459 100644
--- a/rhel9/profiles/hipaa.profile
+++ b/rhel9/profiles/hipaa.profile
@@ -7,7 +7,7 @@ metadata:
reference: https://www.hhs.gov/hipaa/for-professionals/index.html
-title: 'Health Insurance Portability and Accountability Act (HIPAA)'
+title: '[RHEL9 DRAFT] Health Insurance Portability and Accountability Act (HIPAA)'
description: |-
The HIPAA Security Rule establishes U.S. national standards to protect individuals
@@ -17,7 +17,7 @@ description: |-
confidentiality, integrity, and security of electronic protected health
information.
- This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
+ This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security
Rule identified for securing of electronic protected health information.
Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
index 592be03783f..3a884f8371d 100644
--- a/rhel9/profiles/ism_o.profile
+++ b/rhel9/profiles/ism_o.profile
@@ -8,10 +8,10 @@ metadata:
reference: https://www.cyber.gov.au/ism
-title: 'Australian Cyber Security Centre (ACSC) ISM Official'
+title: '[RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official'
description: |-
- This profile contains configuration checks for Red Hat Enterprise Linux 8
+ This profile contains configuration checks for Red Hat Enterprise Linux 9
that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
with the applicability marking of OFFICIAL.
diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile
index c4a43dc5eb6..84d23fe8ff5 100644
--- a/rhel9/profiles/ospp.profile
+++ b/rhel9/profiles/ospp.profile
@@ -9,7 +9,7 @@ metadata:
reference: https://www.niap-ccevs.org/Profile/PP.cfm
-title: 'Protection Profile for General Purpose Operating Systems'
+title: '[RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems'
description: |-
This profile reflects mandatory configuration controls identified in the
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
index 966b2d5e1d8..6b00be5f76a 100644
--- a/rhel9/profiles/pci-dss.profile
+++ b/rhel9/profiles/pci-dss.profile
@@ -6,7 +6,7 @@ metadata:
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
+title: '[RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9'
description: |-
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
index 3b734c2b2c5..34244db3f3d 100644
--- a/rhel9/profiles/rht-ccp.profile
+++ b/rhel9/profiles/rht-ccp.profile
@@ -1,11 +1,11 @@
documentation_complete: true
-title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
+title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
description: |-
This profile contains the minimum security relevant
configuration settings recommended by Red Hat, Inc for
- Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
+ Red Hat Enterprise Linux 9 instances deployed by Red Hat Certified
Cloud Providers.
selections:
diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
index a63ae2cf328..921e30749d6 100644
--- a/rhel9/profiles/standard.profile
+++ b/rhel9/profiles/standard.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 9'
description: |-
This profile contains rules to ensure standard security baseline
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
index 50548f7e8eb..1baafe6f751 100644
--- a/rhel9/profiles/stig.profile
+++ b/rhel9/profiles/stig.profile
@@ -1,17 +1,16 @@
documentation_complete: true
metadata:
- version: V1R2
+ version: NA
SMEs:
- carlosmmatos
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-title: 'DISA STIG for Red Hat Enterprise Linux 8'
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 9'
description: |-
- This profile contains configuration checks that align to the
- DISA STIG for Red Hat Enterprise Linux 8 V1R2.
+ This profile contains configuration checks that are based on the RHEL8 STIG
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of
diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile
index ff9a2833df8..da26c9f1b89 100644
--- a/rhel9/profiles/stig_gui.profile
+++ b/rhel9/profiles/stig_gui.profile
@@ -1,19 +1,18 @@
documentation_complete: true
metadata:
- version: V1R2
+ version: NA
SMEs:
- carlosmmatos
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
+title: '[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9'
description: |-
- This profile contains configuration checks that align to the
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
+ This profile contains configuration checks that are based on the RHEL8 STIG
- In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
configuration baseline as applicable to the operating system tier of
Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
@@ -21,13 +20,13 @@ description: |-
- Red Hat Enterprise Linux Workstation and Desktop
- Red Hat Enterprise Linux for HPC
- Red Hat Storage
- - Red Hat Containers with a Red Hat Enterprise Linux 8 image
+ - Red Hat Containers with a Red Hat Enterprise Linux 9 image
Warning: The installation and use of a Graphical User Interface (GUI)
increases your attack vector and decreases your overall security posture. If
your Information Systems Security Officer (ISSO) lacks a documented operational
requirement for a graphical user interface, please consider using the
- standard DISA STIG for Red Hat Enterprise Linux 8 profile.
+ standard DISA STIG for Red Hat Enterprise Linux 9 profile.
extends: stig
From f27a9195b81f017f25f95eec50ec19114b0ea406 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 16 Jun 2021 12:04:53 +0200
Subject: [PATCH 3/4] Added RHEL9 CCEs.
Some of the available CCEs were actually taken, so the amount of removed CCEs is greater
than the number of rules that got a CCE.
Sometimes PRs introduce CCE inconsistencies: https://github.com/ComplianceAsCode/content/pull/6579
---
.../service_avahi-daemon_disabled/rule.yml | 1 +
.../base/package_abrt_removed/rule.yml | 1 +
.../base/service_abrtd_disabled/rule.yml | 1 +
.../base/service_kdump_disabled/rule.yml | 1 +
.../base/service_ntpdate_disabled/rule.yml | 1 +
.../base/service_oddjobd_disabled/rule.yml | 1 +
.../base/service_qpidd_disabled/rule.yml | 1 +
.../base/service_rdisc_disabled/rule.yml | 1 +
.../base/service_rhnsd_disabled/rule.yml | 1 +
.../file_groupowner_cron_d/rule.yml | 1 +
.../file_groupowner_cron_daily/rule.yml | 1 +
.../file_groupowner_cron_hourly/rule.yml | 1 +
.../file_groupowner_cron_monthly/rule.yml | 1 +
.../file_groupowner_cron_weekly/rule.yml | 1 +
.../file_groupowner_crontab/rule.yml | 1 +
.../cron_and_at/file_owner_cron_d/rule.yml | 1 +
.../file_owner_cron_daily/rule.yml | 1 +
.../file_owner_cron_hourly/rule.yml | 1 +
.../file_owner_cron_monthly/rule.yml | 1 +
.../file_owner_cron_weekly/rule.yml | 1 +
.../cron_and_at/file_owner_crontab/rule.yml | 1 +
.../file_permissions_cron_d/rule.yml | 1 +
.../file_permissions_cron_daily/rule.yml | 1 +
.../file_permissions_cron_hourly/rule.yml | 1 +
.../file_permissions_cron_monthly/rule.yml | 1 +
.../file_permissions_cron_weekly/rule.yml | 1 +
.../file_permissions_crontab/rule.yml | 1 +
.../cron_and_at/service_atd_disabled/rule.yml | 1 +
.../service_crond_enabled/rule.yml | 1 +
.../package_dhcp_removed/rule.yml | 1 +
.../service_dhcpd_disabled/rule.yml | 1 +
.../service_named_disabled/rule.yml | 1 +
.../package_fapolicyd_installed/rule.yml | 1 +
.../service_fapolicyd_enabled/rule.yml | 1 +
.../package_vsftpd_removed/rule.yml | 1 +
.../service_vsftpd_disabled/rule.yml | 1 +
.../service_httpd_disabled/rule.yml | 1 +
.../service_dovecot_disabled/rule.yml | 1 +
.../kerberos_disable_no_keytab/rule.yml | 1 +
.../package_openldap-clients_removed/rule.yml | 1 +
.../mail/package_sendmail_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../service_rpcbind_disabled/rule.yml | 1 +
.../service_nfs_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_nfs-utils_removed/rule.yml | 1 +
.../ntp/chronyd_run_as_chrony_user/rule.yml | 1 +
.../chronyd_specify_remote_server/rule.yml | 1 +
.../ntp/package_chrony_installed/rule.yml | 1 +
.../ntp/service_chronyd_enabled/rule.yml | 1 +
.../package_xinetd_removed/rule.yml | 1 +
.../service_xinetd_disabled/rule.yml | 1 +
.../nis/package_ypbind_removed/rule.yml | 1 +
.../nis/package_ypserv_removed/rule.yml | 1 +
.../r_services/no_rsh_trust_files/rule.yml | 1 +
.../package_rsh-server_removed/rule.yml | 1 +
.../r_services/package_rsh_removed/rule.yml | 1 +
.../obsolete/service_rsyncd_disabled/rule.yml | 1 +
.../talk/package_talk-server_removed/rule.yml | 1 +
.../talk/package_talk_removed/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../telnet/package_telnet_removed/rule.yml | 1 +
.../telnet/service_telnet_disabled/rule.yml | 1 +
.../tftp/package_tftp-server_removed/rule.yml | 1 +
.../printing/service_cups_disabled/rule.yml | 1 +
.../package_squid_removed/rule.yml | 1 +
.../service_squid_disabled/rule.yml | 1 +
.../rng/service_rngd_enabled/rule.yml | 1 +
.../package_quagga_removed/rule.yml | 1 +
.../service_zebra_disabled/rule.yml | 1 +
.../service_smb_disabled/rule.yml | 1 +
.../service_snmpd_disabled/rule.yml | 1 +
.../ssh/file_groupowner_sshd_config/rule.yml | 1 +
.../ssh/file_owner_sshd_config/rule.yml | 1 +
.../ssh/file_permissions_sshd_config/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_sshd_pub_key/rule.yml | 1 +
.../rule.yml | 1 +
.../package_openssh-server_installed/rule.yml | 1 +
.../ssh/service_sshd_enabled/rule.yml | 1 +
.../ssh/ssh_server/disable_host_auth/rule.yml | 1 +
.../sshd_allow_only_protocol2/rule.yml | 1 +
.../sshd_disable_compression/rule.yml | 1 +
.../sshd_disable_empty_passwords/rule.yml | 1 +
.../sshd_disable_gssapi_auth/rule.yml | 1 +
.../sshd_disable_kerb_auth/rule.yml | 1 +
.../ssh_server/sshd_disable_rhosts/rule.yml | 1 +
.../sshd_disable_root_login/rule.yml | 1 +
.../sshd_disable_tcp_forwarding/rule.yml | 1 +
.../sshd_disable_user_known_hosts/rule.yml | 1 +
.../sshd_disable_x11_forwarding/rule.yml | 1 +
.../sshd_do_not_permit_user_env/rule.yml | 1 +
.../sshd_enable_strictmodes/rule.yml | 1 +
.../sshd_enable_warning_banner/rule.yml | 1 +
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 +
.../ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
.../ssh_server/sshd_set_keepalive/rule.yml | 1 +
.../sshd_set_loglevel_info/rule.yml | 1 +
.../sshd_set_max_auth_tries/rule.yml | 1 +
.../ssh_server/sshd_set_max_sessions/rule.yml | 1 +
.../configure_usbguard_auditbackend/rule.yml | 1 +
.../package_usbguard_installed/rule.yml | 1 +
.../service_usbguard_enabled/rule.yml | 1 +
.../usbguard_allow_hid_and_hub/rule.yml | 1 +
.../rule.yml | 1 +
.../xwindows_remove_packages/rule.yml | 1 +
.../xwindows_runlevel_target/rule.yml | 1 +
.../banner_etc_issue/rule.yml | 1 +
.../accounts-banners/banner_etc_motd/rule.yml | 1 +
.../file_permissions_etc_issue/rule.yml | 1 +
.../file_permissions_etc_motd/rule.yml | 1 +
.../display_login_attempts/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_password_pam_dcredit/rule.yml | 1 +
.../accounts_password_pam_difok/rule.yml | 1 +
.../accounts_password_pam_lcredit/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_password_pam_maxrepeat/rule.yml | 1 +
.../accounts_password_pam_minclass/rule.yml | 1 +
.../accounts_password_pam_minlen/rule.yml | 1 +
.../accounts_password_pam_ocredit/rule.yml | 1 +
.../accounts_password_pam_retry/rule.yml | 1 +
.../accounts_password_pam_ucredit/rule.yml | 1 +
.../rule.yml | 1 +
.../require_emergency_target_auth/rule.yml | 1 +
.../require_singleuser_auth/rule.yml | 1 +
.../package_tmux_installed/rule.yml | 1 +
.../install_smartcard_packages/rule.yml | 1 +
.../package_opensc_installed/rule.yml | 1 +
.../rule.yml | 1 +
.../account_unique_name/rule.yml | 1 +
.../accounts_maximum_age_login_defs/rule.yml | 1 +
.../accounts_minimum_age_login_defs/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_password_all_shadowed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../gid_passwd_group_same/rule.yml | 1 +
.../no_empty_passwords/rule.yml | 1 +
.../no_legacy_plus_entries_etc_group/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../password_storage/no_netrc_files/rule.yml | 1 +
.../accounts_no_uid_except_zero/rule.yml | 1 +
.../no_direct_root_logins/rule.yml | 1 +
.../no_shelllogin_for_systemaccounts/rule.yml | 1 +
.../restrict_serial_port_logins/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_logon_fail_delay/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_polyinstantiated_tmp/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts-session/accounts_tmout/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_permission_user_init_files/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_home_dirs/rule.yml | 1 +
.../accounts_root_path_dirs_no_write/rule.yml | 1 +
.../accounts_umask_etc_bashrc/rule.yml | 1 +
.../accounts_umask_etc_login_defs/rule.yml | 1 +
.../accounts_umask_etc_profile/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_execution_chcon/rule.yml | 1 +
.../audit_rules_execution_restorecon/rule.yml | 1 +
.../audit_rules_execution_semanage/rule.yml | 1 +
.../audit_rules_execution_setfiles/rule.yml | 1 +
.../audit_rules_execution_setsebool/rule.yml | 1 +
.../audit_rules_execution_seunshare/rule.yml | 1 +
.../audit_rules_file_deletion_events/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_login_events/rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_login_events_lastlog/rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_privileged_commands/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_immutable/rule.yml | 1 +
.../audit_rules_mac_modification/rule.yml | 1 +
.../audit_rules_media_export/rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_session_events/rule.yml | 1 +
.../audit_rules_sysadmin_actions/rule.yml | 1 +
.../audit_rules_system_shutdown/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../audit_rules_time_adjtimex/rule.yml | 1 +
.../audit_rules_time_clock_settime/rule.yml | 1 +
.../audit_rules_time_settimeofday/rule.yml | 1 +
.../audit_rules_time_stime/rule.yml | 1 +
.../audit_rules_time_watch_localtime/rule.yml | 1 +
.../rule.yml | 1 +
.../file_ownership_var_log_audit/rule.yml | 1 +
.../file_permissions_var_log_audit/rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_data_disk_error_action/rule.yml | 1 +
.../auditd_data_disk_full_action/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_data_retention_flush/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_data_retention_num_logs/rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_freq/rule.yml | 1 +
.../auditd_local_events/rule.yml | 1 +
.../auditd_log_format/rule.yml | 1 +
.../auditd_name_format/rule.yml | 1 +
.../auditd_write_logs/rule.yml | 1 +
.../auditing/grub2_audit_argument/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../auditing/package_audit_installed/rule.yml | 1 +
.../policy_rules/audit_access_failed/rule.yml | 1 +
.../audit_access_success/rule.yml | 1 +
.../audit_basic_configuration/rule.yml | 1 +
.../policy_rules/audit_create_failed/rule.yml | 1 +
.../audit_create_success/rule.yml | 1 +
.../policy_rules/audit_delete_failed/rule.yml | 1 +
.../audit_delete_success/rule.yml | 1 +
.../audit_immutable_login_uids/rule.yml | 1 +
.../policy_rules/audit_modify_failed/rule.yml | 1 +
.../audit_modify_success/rule.yml | 1 +
.../policy_rules/audit_module_load/rule.yml | 1 +
.../policy_rules/audit_ospp_general/rule.yml | 1 +
.../audit_owner_change_failed/rule.yml | 1 +
.../audit_owner_change_success/rule.yml | 1 +
.../audit_perm_change_failed/rule.yml | 1 +
.../audit_perm_change_success/rule.yml | 1 +
.../auditing/service_auditd_enabled/rule.yml | 1 +
.../grub2_enable_iommu_force/rule.yml | 1 +
.../grub2_kernel_trust_cpu_rng/rule.yml | 1 +
.../grub2_pti_argument/rule.yml | 1 +
.../grub2_vsyscall_argument/rule.yml | 1 +
.../file_groupowner_grub2_cfg/rule.yml | 1 +
.../non-uefi/file_owner_grub2_cfg/rule.yml | 1 +
.../file_permissions_grub2_cfg/rule.yml | 1 +
.../non-uefi/grub2_password/rule.yml | 1 +
.../zipl_audit_argument/rule.yml | 1 +
.../rule.yml | 1 +
.../zipl_bls_entries_only/rule.yml | 1 +
.../zipl_bootmap_is_up_to_date/rule.yml | 1 +
.../zipl_page_poison_argument/rule.yml | 1 +
.../zipl_slub_debug_argument/rule.yml | 1 +
.../zipl_vsyscall_argument/rule.yml | 1 +
.../rsyslog_cron_logging/rule.yml | 1 +
.../ensure_logrotate_activated/rule.yml | 1 +
.../package_rsyslog-gnutls_installed/rule.yml | 1 +
.../rsyslog_nolisten/rule.yml | 1 +
.../rsyslog_remote_loghost/rule.yml | 1 +
.../rsyslog_remote_tls/rule.yml | 1 +
.../rsyslog_remote_tls_cacert/rule.yml | 1 +
.../logging/service_rsyslog_enabled/rule.yml | 1 +
.../package_firewalld_installed/rule.yml | 1 +
.../service_firewalld_enabled/rule.yml | 1 +
.../set_firewalld_default_zone/rule.yml | 1 +
.../package_libreswan_installed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_net_ipv4_tcp_rfc1337/rule.yml | 1 +
.../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 +
.../kernel_module_atm_disabled/rule.yml | 1 +
.../kernel_module_can_disabled/rule.yml | 1 +
.../kernel_module_dccp_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../kernel_module_rds_disabled/rule.yml | 1 +
.../kernel_module_sctp_disabled/rule.yml | 1 +
.../kernel_module_tipc_disabled/rule.yml | 1 +
.../kernel_module_bluetooth_disabled/rule.yml | 1 +
.../wireless_disable_interfaces/rule.yml | 1 +
.../network/network_sniffer_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_ungroupowned/rule.yml | 1 +
.../files/no_files_unowned_by_user/rule.yml | 1 +
.../file_groupowner_backup_etc_group/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_groupowner_etc_group/rule.yml | 1 +
.../file_groupowner_etc_gshadow/rule.yml | 1 +
.../file_groupowner_etc_passwd/rule.yml | 1 +
.../file_groupowner_etc_shadow/rule.yml | 1 +
.../file_owner_backup_etc_group/rule.yml | 1 +
.../file_owner_backup_etc_gshadow/rule.yml | 1 +
.../file_owner_backup_etc_passwd/rule.yml | 1 +
.../file_owner_backup_etc_shadow/rule.yml | 1 +
.../file_owner_etc_group/rule.yml | 1 +
.../file_owner_etc_gshadow/rule.yml | 1 +
.../file_owner_etc_passwd/rule.yml | 1 +
.../file_owner_etc_shadow/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_etc_group/rule.yml | 1 +
.../file_permissions_etc_gshadow/rule.yml | 1 +
.../file_permissions_etc_passwd/rule.yml | 1 +
.../file_permissions_etc_shadow/rule.yml | 1 +
.../file_groupowner_var_log/rule.yml | 1 +
.../file_groupowner_var_log_messages/rule.yml | 1 +
.../file_owner_var_log/rule.yml | 1 +
.../file_owner_var_log_messages/rule.yml | 1 +
.../file_permissions_var_log/rule.yml | 1 +
.../rule.yml | 1 +
.../file_ownership_binary_dirs/rule.yml | 1 +
.../file_ownership_library_dirs/rule.yml | 1 +
.../file_permissions_binary_dirs/rule.yml | 1 +
.../file_permissions_library_dirs/rule.yml | 1 +
.../sysctl_fs_protected_hardlinks/rule.yml | 1 +
.../sysctl_fs_protected_symlinks/rule.yml | 1 +
.../kernel_module_cramfs_disabled/rule.yml | 1 +
.../kernel_module_squashfs_disabled/rule.yml | 1 +
.../kernel_module_udf_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../mounting/service_autofs_disabled/rule.yml | 1 +
.../mount_option_boot_nodev/rule.yml | 1 +
.../mount_option_boot_noexec/rule.yml | 1 +
.../mount_option_boot_nosuid/rule.yml | 1 +
.../mount_option_dev_shm_nodev/rule.yml | 1 +
.../mount_option_dev_shm_noexec/rule.yml | 1 +
.../mount_option_dev_shm_nosuid/rule.yml | 1 +
.../mount_option_home_nodev/rule.yml | 1 +
.../mount_option_home_noexec/rule.yml | 1 +
.../mount_option_home_nosuid/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../mount_option_opt_nosuid/rule.yml | 1 +
.../mount_option_srv_nosuid/rule.yml | 1 +
.../mount_option_tmp_nodev/rule.yml | 1 +
.../mount_option_tmp_noexec/rule.yml | 1 +
.../mount_option_tmp_nosuid/rule.yml | 1 +
.../mount_option_var_log_audit_nodev/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../mount_option_var_log_nodev/rule.yml | 1 +
.../mount_option_var_log_noexec/rule.yml | 1 +
.../mount_option_var_log_nosuid/rule.yml | 1 +
.../mount_option_var_nodev/rule.yml | 1 +
.../mount_option_var_noexec/rule.yml | 1 +
.../mount_option_var_nosuid/rule.yml | 1 +
.../mount_option_var_tmp_nodev/rule.yml | 1 +
.../mount_option_var_tmp_noexec/rule.yml | 1 +
.../mount_option_var_tmp_nosuid/rule.yml | 1 +
.../disable_users_coredumps/rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_fs_suid_dumpable/rule.yml | 1 +
.../sysctl_kernel_exec_shield/rule.yml | 1 +
.../sysctl_kernel_kptr_restrict/rule.yml | 1 +
.../sysctl_kernel_randomize_va_space/rule.yml | 1 +
.../grub2_page_poison_argument/rule.yml | 1 +
.../grub2_slub_debug_argument/rule.yml | 1 +
.../sysctl_kernel_core_pattern/rule.yml | 1 +
.../sysctl_kernel_dmesg_restrict/rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_kernel_modules_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_kernel_pid_max/rule.yml | 1 +
.../restrictions/sysctl_kernel_sysrq/rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 +
.../sysctl_net_core_bpf_jit_harden/rule.yml | 1 +
.../sysctl_user_max_user_namespaces/rule.yml | 1 +
.../sysctl_vm_mmap_min_addr/rule.yml | 1 +
.../selinux/grub2_enable_selinux/rule.yml | 1 +
.../package_libselinux_installed/rule.yml | 1 +
.../selinux/package_mcstrans_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_setroubleshoot_removed/rule.yml | 1 +
.../sebool_auditadm_exec_content/rule.yml | 1 +
.../sebool_deny_execmem/rule.yml | 1 +
.../sebool_polyinstantiation_enabled/rule.yml | 1 +
.../sebool_secure_mode_insmod/rule.yml | 1 +
.../sebool_selinuxuser_execheap/rule.yml | 1 +
.../sebool_selinuxuser_execmod/rule.yml | 1 +
.../sebool_selinuxuser_execstack/rule.yml | 1 +
.../sebool_ssh_sysadm_login/rule.yml | 1 +
.../selinux_confinement_of_daemons/rule.yml | 1 +
.../selinux/selinux_policytype/rule.yml | 1 +
.../system/selinux/selinux_state/rule.yml | 1 +
.../encrypt_partitions/rule.yml | 1 +
.../partition_for_home/rule.yml | 1 +
.../partition_for_srv/rule.yml | 1 +
.../partition_for_tmp/rule.yml | 1 +
.../partition_for_var/rule.yml | 1 +
.../partition_for_var_log/rule.yml | 1 +
.../partition_for_var_log_audit/rule.yml | 1 +
.../partition_for_var_tmp/rule.yml | 1 +
.../gnome/package_gdm_removed/rule.yml | 1 +
.../installed_OS_is_vendor_supported/rule.yml | 1 +
.../configure_bind_crypto_policy/rule.yml | 1 +
.../crypto/configure_crypto_policy/rule.yml | 1 +
.../configure_kerberos_crypto_policy/rule.yml | 1 +
.../rule.yml | 1 +
.../configure_openssl_crypto_policy/rule.yml | 1 +
.../rule.yml | 1 +
.../configure_ssh_crypto_policy/rule.yml | 1 +
.../rule.yml | 1 +
.../fips/sysctl_crypto_fips_enabled/rule.yml | 1 +
.../aide/aide_build_database/rule.yml | 1 +
.../aide/aide_periodic_cron_checking/rule.yml | 1 +
.../aide/aide_scan_notification/rule.yml | 1 +
.../aide/aide_verify_acls/rule.yml | 1 +
.../aide/aide_verify_ext_attributes/rule.yml | 1 +
.../aide/package_aide_installed/rule.yml | 1 +
.../rpm_verify_hashes/rule.yml | 1 +
.../rpm_verify_ownership/rule.yml | 1 +
.../rpm_verify_permissions/rule.yml | 1 +
.../system/software/prefer_64bit_os/rule.yml | 1 +
.../sudo/package_sudo_installed/rule.yml | 1 +
.../software/sudo/sudo_add_noexec/rule.yml | 1 +
.../sudo/sudo_add_requiretty/rule.yml | 1 +
.../software/sudo/sudo_add_use_pty/rule.yml | 1 +
.../sudo/sudo_custom_logfile/rule.yml | 1 +
.../sudo/sudo_remove_no_authenticate/rule.yml | 1 +
.../sudo/sudo_remove_nopasswd/rule.yml | 1 +
.../sudo/sudo_require_authentication/rule.yml | 1 +
.../rule.yml | 1 +
.../software/sudo/sudo_vdsm_nopasswd/rule.yml | 1 +
.../sudoers_explicit_command_args/rule.yml | 5 +-
.../sudo/sudoers_no_command_negation/rule.yml | 5 +-
.../sudo/sudoers_no_root_target/rule.yml | 5 +-
.../sudo/sudoers_validate_passwd/rule.yml | 1 +
.../package_abrt-addon-ccpp_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_abrt-cli_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_gnutls-utils_installed/rule.yml | 1 +
.../package_gssproxy_removed/rule.yml | 1 +
.../package_iprutils_removed/rule.yml | 1 +
.../package_krb5-workstation_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../package_rear_installed/rule.yml | 1 +
.../package_rng-tools_installed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_tuned_removed/rule.yml | 1 +
.../clean_components_post_updating/rule.yml | 1 +
.../dnf-automatic_apply_updates/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../ensure_gpgcheck_local_packages/rule.yml | 1 +
.../ensure_gpgcheck_never_disabled/rule.yml | 1 +
.../package_dnf-automatic_installed/rule.yml | 1 +
.../timer_dnf-automatic_enabled/rule.yml | 1 +
549 files changed, 554 insertions(+), 577 deletions(-)
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
index 86fabb43744..8ad5ad300aa 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80338-7
cce@rhel8: CCE-82188-4
+ cce@rhel9: CCE-90824-4
references:
cis@rhel7: 2.2.3
diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml
index 53b633c1f32..d1f2c060751 100644
--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml
+++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81040-8
cce@rhel8: CCE-80948-3
+ cce@rhel9: CCE-84228-6
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
index cacd7eeb3a7..73b3fad1446 100644
--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82027-4
cce@rhel8: CCE-80870-9
+ cce@rhel9: CCE-84234-4
references:
nist: CM-7(a),CM-6(a)
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
index 1bb014b5993..5129bcd31e7 100644
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80258-7
cce@rhel8: CCE-80878-2
+ cce@rhel9: CCE-84232-8
cce@sle12: CCE-83105-7
cce@sle15: CCE-85638-5
diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
index 8dfbcf5faab..7c1ae86f5fe 100644
--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
@@ -23,6 +23,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80262-9
cce@rhel8: CCE-80879-0
+ cce@rhel9: CCE-84236-9
references:
disa: CCI-000382
diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
index 64aa1c45f9e..dbe4b22a809 100644
--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80263-7
cce@rhel8: CCE-80880-8
+ cce@rhel9: CCE-84229-4
references:
disa: CCI-000381
diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
index badee1af18e..be12fd102a1 100644
--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
@@ -24,6 +24,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80266-0
cce@rhel8: CCE-80882-4
+ cce@rhel9: CCE-84231-0
references:
disa: CCI-000382
diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
index 772f8c37e68..3cae11fd233 100644
--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80268-6
cce@rhel8: CCE-80883-2
+ cce@rhel9: CCE-84237-7
references:
disa: CCI-000382
diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
index ba3b04d8811..35290e39084 100644
--- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80269-4
cce@rhel8: CCE-82405-2
+ cce@rhel9: CCE-84235-1
references:
cis@rhel7: 1.2.5
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
index bcf17d8d1ba..63741db4654 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82265-0
cce@rhel8: CCE-82268-4
+ cce@rhel9: CCE-84177-5
references:
cis@rhel7: 5.1.7
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
index 3731bcff80a..2bbef88897c 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82232-0
cce@rhel8: CCE-82234-6
+ cce@rhel9: CCE-84170-0
references:
cis@rhel7: 5.1.4
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
index f6be1d8e385..c1d873c80b4 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82226-2
cce@rhel8: CCE-82227-0
+ cce@rhel9: CCE-84186-6
references:
cis@rhel7: 5.1.3
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
index 823bf13d3a8..5f98988f1d3 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82255-1
cce@rhel8: CCE-82256-9
+ cce@rhel9: CCE-84189-0
references:
cis@rhel7: 5.1.6
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
index edeef8ff378..e6876272e08 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82242-9
cce@rhel8: CCE-82244-5
+ cce@rhel9: CCE-84174-2
references:
cis@rhel7: 5.1.5
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
index 8c4027198e3..6556e3f8d23 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82222-1
cce@rhel8: CCE-82223-9
+ cce@rhel9: CCE-84171-8
references:
cis@rhel7: 5.1.2
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
index 29df5f3a977..2e95b3569da 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82270-0
cce@rhel8: CCE-82272-6
+ cce@rhel9: CCE-84169-2
references:
cis@rhel7: 5.1.7
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
index f7e7811c8b1..41b87b5c458 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82236-1
cce@rhel8: CCE-82237-9
+ cce@rhel9: CCE-84188-2
references:
cis@rhel7: 5.1.4
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
index 04041e13dfe..97ecab21d35 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82208-0
cce@rhel8: CCE-82209-8
+ cce@rhel9: CCE-84168-4
references:
cis@rhel7: 5.1.3
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
index 46757a03195..b607f980e6e 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82259-3
cce@rhel8: CCE-82260-1
+ cce@rhel9: CCE-84179-1
references:
cis@rhel7: 5.1.6
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
index 48f897e4339..3c0d65d9349 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82246-0
cce@rhel8: CCE-82247-8
+ cce@rhel9: CCE-84190-8
references:
cis@rhel7: 5.1.5
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
index 738d9820b7f..ff0493c9d22 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82217-1
cce@rhel8: CCE-82224-7
+ cce@rhel9: CCE-84167-6
references:
cis@rhel7: 5.1.2
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
index f47ae580724..d3af795efcb 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82276-7
cce@rhel8: CCE-82277-5
+ cce@rhel9: CCE-84183-3
references:
cis@rhel7: 5.1.7
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
index ce7a7447a68..40eb753b45c 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82239-5
cce@rhel8: CCE-82240-3
+ cce@rhel9: CCE-84175-9
references:
cis@rhel7: 5.1.4
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
index dc9c7274f6e..cb0d959fecf 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82229-6
cce@rhel8: CCE-82230-4
+ cce@rhel9: CCE-84173-4
references:
cis@rhel7: 5.1.3
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
index 0ce221933e3..1bb7486b3be 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82262-7
cce@rhel8: CCE-82263-5
+ cce@rhel9: CCE-84181-7
references:
cis@rhel7: 5.1.6
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
index 0bcf7c9dfa3..ea5020367e9 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82250-2
cce@rhel8: CCE-82253-6
+ cce@rhel9: CCE-84187-4
references:
cis@rhel7: 5.1.5
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
index 4a743ab10d5..62b3623b10c 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82205-6
cce@rhel8: CCE-82206-4
+ cce@rhel9: CCE-84176-7
references:
cis@rhel7: 5.1.2
diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
index 12bde00f86c..bd3f5894e1d 100644
--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80345-2
cce@rhel8: CCE-80871-7
+ cce@rhel9: CCE-84164-3
references:
disa: CCI-000381
diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
index d2c99d0d3f9..5e6aa3f246d 100644
--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27323-5
cce@rhel8: CCE-80875-8
+ cce@rhel9: CCE-84163-5
references:
cis@rhel7: 5.1.1
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
index 5f6ef7037d1..e1f2ee67c0c 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80331-2
cce@rhel8: CCE-83385-5
+ cce@rhel9: CCE-84240-1
references:
disa: CCI-000366
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
index ef7cb53457e..d5a35841bb7 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80330-4
cce@rhel8: CCE-82864-0
+ cce@rhel9: CCE-84241-9
references:
disa: CCI-000366
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
index ee4527a8953..9416c1a47c3 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80325-4
cce@rhel8: CCE-82409-4
+ cce@rhel9: CCE-84194-0
references:
cis@rhel7: 2.2.8
diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
index abaa84ceb0f..def5fd0b715 100644
--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82191-8
+ cce@rhel9: CCE-84224-5
cce@rhcos4: CCE-82533-1
references:
diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
index a8b98ce3630..69be5807c1d 100644
--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82249-4
+ cce@rhel9: CCE-84227-8
cce@rhcos4: CCE-82534-9
references:
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index b41afade347..30f5483a471 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -15,6 +15,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80245-4
cce@rhel8: CCE-82414-4
+ cce@rhel9: CCE-84159-3
cce@sle15: CCE-85700-3
references:
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
index e6424e0162a..f43dabbda35 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80244-7
cce@rhel8: CCE-82413-6
+ cce@rhel9: CCE-84160-1
references:
cis@rhel7: 2.2.9
diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
index 10808731308..880cb190c41 100644
--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80300-7
cce@rhel8: CCE-82761-8
+ cce@rhel9: CCE-84213-8
references:
cis@rhel7: 2.2.10
diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
index 54235dbfe6a..d460c18646d 100644
--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80294-2
cce@rhel8: CCE-82760-0
+ cce@rhel9: CCE-84242-7
references:
cis@rhel7: 2.2.11
diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
index 3e0de0e531f..992e397de54 100644
--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
+++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82175-1
+ cce@rhel9: CCE-84221-1
references:
ospp: FTP_ITC_EXT.1
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index 36be8d99194..6d0409fd273 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -18,6 +18,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82884-8
cce@rhel8: CCE-82885-5
+ cce@rhel9: CCE-90831-9
references:
cis@rhel7: 2.3.5
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 3c851cfb227..a56d93cdae5 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80288-4
cce@rhel8: CCE-81039-0
+ cce@rhel9: CCE-90830-1
references:
nist: CM-7(a),CM-7(b),CM-6(a)
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
index 28d5b41a750..3d390b35e8f 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -21,6 +21,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82380-7
cce@rhel8: CCE-82381-5
+ cce@rhel9: CCE-90826-9
cce@sle12: CCE-83031-5
cce@sle15: CCE-85605-4
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
index 4a9a36ab8c3..e0e3a53d9e5 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80289-2
cce@rhel8: CCE-82174-4
+ cce@rhel9: CCE-90825-1
references:
cis@rhel7: 2.2.16
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
index 13723c22bab..a44f0c1c492 100644
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80230-6
cce@rhel8: CCE-82858-2
+ cce@rhel9: CCE-84245-0
references:
cis@rhel7: 2.2.18
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
index 5ecd328720e..ef2717e3116 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
@@ -17,6 +17,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80237-1
cce@rhel8: CCE-82762-6
+ cce@rhel9: CCE-90850-9
references:
cis@rhel7: 2.2.7
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
index 82eac90b88b..6b2313ecc21 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80239-7
cce@rhel8: CCE-84052-0
+ cce@rhel9: CCE-90838-4
references:
nist: CM-6(a),MP-2
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
index 4c65f182a9f..9bd6d8ddfdc 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
@@ -19,6 +19,7 @@ identifiers:
cce@sle12: CCE-83103-2
cce@sle15: CCE-85636-9
cce@rhel8: CCE-84050-4
+ cce@rhel9: CCE-84246-8
references:
stigid@ol7: OL07-00-021021
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
index 134be291155..036bc8f69b3 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
@@ -17,6 +17,7 @@ identifiers:
cce@sle12: CCE-83102-4
cce@sle15: CCE-85635-1
cce@rhel8: CCE-84053-8
+ cce@rhel9: CCE-84247-6
references:
stigid@ol7: OL07-00-021020
diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
index d8527598136..33f4764f795 100644
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82933-3
cce@rhel8: CCE-82932-5
+ cce@rhel9: CCE-84243-5
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
index 0947a2faaa8..47cb3d67b7e 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -30,6 +30,7 @@ references:
identifiers:
cce@rhel7: CCE-82878-0
cce@rhel8: CCE-82879-8
+ cce@rhel9: CCE-84108-0
ocil_clause: 'chronyd is not running under chrony user account'
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index 3583feaf04f..c36fcad3b77 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -24,6 +24,7 @@ platform: chrony
identifiers:
cce@rhel7: CCE-83418-4
cce@rhel8: CCE-82873-1
+ cce@rhel9: CCE-84218-7
references:
cis@rhel7: 2.2.1.2
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 0c7a01f4a15..7b8edaf8b65 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -20,6 +20,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-83419-2
cce@rhel8: CCE-82874-9
+ cce@rhel9: CCE-84215-3
references:
cis@rhel7: 2.2.1.1
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index c582b2d6121..dad54bcbfa4 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -23,6 +23,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-83420-0
cce@rhel8: CCE-82875-6
+ cce@rhel9: CCE-84217-9
references:
cis@rhel7: 2.2.1.3
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index f582f8b481d..ec4a0de2f61 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-27354-0
cce@rhel8: CCE-80850-1
+ cce@rhel9: CCE-84155-1
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
index 2c6448da572..3a4e6d4ac78 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27443-1
cce@rhel8: CCE-80888-1
+ cce@rhel9: CCE-84156-9
references:
cis@rhel7: 2.1.7
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index e836dc6fb10..87f57cda697 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -22,6 +22,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-27396-1
cce@rhel8: CCE-82181-9
+ cce@rhel9: CCE-84151-0
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index e45f5ad0135..55ad750f02d 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -20,6 +20,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27399-5
cce@rhel8: CCE-82432-6
+ cce@rhel9: CCE-84152-8
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
index 02e2983feee..d4880e23956 100644
--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
@@ -21,6 +21,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27406-8
cce@rhel8: CCE-80842-8
+ cce@rhel9: CCE-84145-2
references:
cis@rhel7: 6.2.14
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index 33c36cde67d..ed8c4a6c090 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -20,6 +20,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27342-5
cce@rhel8: CCE-82184-3
+ cce@rhel9: CCE-84143-7
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
index 5b27c0ced97..0997a778984 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -29,6 +29,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-27274-0
cce@rhel8: CCE-82183-5
+ cce@rhel9: CCE-84142-9
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
index 597be531e87..addfd018351 100644
--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
@@ -18,6 +18,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-83334-3
cce@rhel8: CCE-83335-0
+ cce@rhel9: CCE-84140-3
references:
cis@rhel7: 2.2.19
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index e46e4f55d00..e0667d8811f 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27210-4
cce@rhel8: CCE-82180-1
+ cce@rhel9: CCE-84158-5
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 24743fc2d66..0e3c53e4b09 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27432-4
cce@rhel8: CCE-80848-5
+ cce@rhel9: CCE-84157-7
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index a26491259da..01c967baae8 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -27,6 +27,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27165-0
cce@rhel8: CCE-82182-7
+ cce@rhel9: CCE-84149-4
cce@sle12: CCE-83084-4
cce@sle15: CCE-83273-3
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index afef4887348..b953c71f65c 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-27305-2
cce@rhel8: CCE-80849-3
+ cce@rhel9: CCE-84146-0
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
index b6446c2a78b..f4e0378f9e5 100644
--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
@@ -41,6 +41,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27401-9
cce@rhel8: CCE-80887-3
+ cce@rhel9: CCE-84150-2
references:
cis@rhel7: 2.2.19
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index ca25bb21244..abcff3d8982 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -20,6 +20,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80213-2
cce@rhel8: CCE-82436-7
+ cce@rhel9: CCE-84154-4
references:
anssi: BP28(R1)
diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
index 71ef701ec8f..1cedfddfd2c 100644
--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml
+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
@@ -14,6 +14,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80282-7
cce@rhel8: CCE-82861-6
+ cce@rhel9: CCE-90795-6
references:
cis@rhel7: 2.2.4
diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
index f9495eef39c..5567e024ba1 100644
--- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
+++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
@@ -15,6 +15,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80286-8
cce@rhel8: CCE-82189-2
+ cce@rhel9: CCE-84238-5
{{{ complete_ocil_entry_package(package="squid") }}}
diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
index 1a538ab1e05..f12fa6f203d 100644
--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80285-0
cce@rhel8: CCE-82190-0
+ cce@rhel9: CCE-84239-3
references:
cis@rhel7: 2.2.13
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
index 4f1e4d85197..46387098d2d 100644
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82831-9
+ cce@rhel9: CCE-84223-7
cce@rhcos4: CCE-82535-6
references:
diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
index 9688f30b22f..b1dbf5b93af 100644
--- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
+++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-27594-1
cce@rhel8: CCE-82187-6
+ cce@rhel9: CCE-84191-6
references:
disa: CCI-000366
diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
index 8d173cf74f4..595e8da103b 100644
--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
+++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27191-6
cce@rhel8: CCE-80889-9
+ cce@rhel9: CCE-84192-4
references:
disa: CCI-000366
diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
index 1dba9883089..acd5c19efaf 100644
--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80277-7
cce@rhel8: CCE-82759-2
+ cce@rhel9: CCE-84201-3
references:
cis@rhel7: 2.2.12
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
index df46bd44b95..25f676360c2 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80274-4
cce@rhel8: CCE-82758-4
+ cce@rhel9: CCE-90832-7
references:
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
index 08224309561..15a190d5e49 100644
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82902-8
cce@rhel8: CCE-82901-0
+ cce@rhel9: CCE-90817-8
references:
cis@rhel7: 5.2.1
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
index f69a5a177c0..ee707dc646f 100644
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82899-6
cce@rhel8: CCE-82898-8
+ cce@rhel9: CCE-90821-0
references:
cis@rhel7: 5.2.1
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
index ff719e2ca20..5250f1c72fb 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82895-4
cce@rhel8: CCE-82894-7
+ cce@rhel9: CCE-90818-6
references:
cis@rhel7: 5.2.1
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index 57f3fcf792b..f6aee9aba0c 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27485-2
cce@rhel8: CCE-82424-3
+ cce@rhel9: CCE-90820-2
cce@sle12: CCE-83058-8
cce@sle15: CCE-85644-3
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index 553560b83f6..30a8002bf1a 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27311-0
cce@rhel8: CCE-82428-4
+ cce@rhel9: CCE-90819-4
cce@sle12: CCE-83057-0
cce@sle15: CCE-85643-5
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
index 5f585c1a502..67bf4e7e022 100644
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82722-0
+ cce@rhel9: CCE-90836-8
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index 2d12bf7a8cc..46794f04946 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80215-7
cce@rhel8: CCE-83303-8
+ cce@rhel9: CCE-90823-6
references:
stigid@ol7: OL07-00-040300
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
index a7aaa4f3f9c..8ecbc74b778 100644
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80216-5
cce@rhel8: CCE-82426-8
+ cce@rhel9: CCE-90822-8
cce@sle12: CCE-83201-4
cce@sle15: CCE-83297-2
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
index af004f81acf..888e9aa2aab 100644
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27413-4
cce@rhel8: CCE-80786-7
+ cce@rhel9: CCE-90816-0
references:
stigid@ol7: OL07-00-010470
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
index fc9d1b9b3f3..4094e612579 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
@@ -20,6 +20,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27320-1
cce@rhel8: CCE-80894-9
+ cce@rhel9: CCE-90812-9
references:
stigid@ol7: OL07-00-040390
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index 54f40e75063..2e56c574a6c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80224-9
cce@rhel8: CCE-80895-6
+ cce@rhel9: CCE-90801-2
cce@sle12: CCE-83062-0
cce@sle15: CCE-85647-6
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
index 9e1cf6aae75..a8a1497d84d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
@@ -21,6 +21,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27471-2
cce@rhel8: CCE-80896-4
+ cce@rhel9: CCE-90799-8
cce@sle12: CCE-83014-1
cce@sle15: CCE-85667-4
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
index c15ef0c36a2..282b850f24c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80220-7
cce@rhel8: CCE-80897-2
+ cce@rhel9: CCE-90808-7
references:
stigid@ol7: OL07-00-040430
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
index 206a7c1399d..76708e44e1e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80221-5
cce@rhel8: CCE-80898-0
+ cce@rhel9: CCE-90802-0
references:
stigid@ol7: OL07-00-040440
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
index d9bbe22ec98..2d8670ee211 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27377-1
cce@rhel8: CCE-80899-8
+ cce@rhel9: CCE-90797-2
cce@rhcos4: CCE-82665-1
references:
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
index 5b36e99912a..3d987f0281d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27445-6
cce@rhel8: CCE-80901-2
+ cce@rhel9: CCE-90800-4
cce@sle12: CCE-83035-6
cce@sle15: CCE-85557-7
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
index 9a0a7b6dfa5..b9282f8c0dc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83301-2
+ cce@rhel9: CCE-90806-1
references:
cis@rhel8: 5.2.17
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
index cd63b670a25..2580b3cdfe4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80372-6
cce@rhel8: CCE-80902-0
+ cce@rhel9: CCE-90796-4
cce@sle12: CCE-83056-2
cce@sle15: CCE-85642-7
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index b93aa2e6430..7da4e89cd6b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83359-0
cce@rhel8: CCE-83360-8
+ cce@rhel9: CCE-90798-0
cce@sle15: CCE-85707-8
references:
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
index 006a8496cef..cd08a39312b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27363-1
cce@rhel8: CCE-80903-8
+ cce@rhel9: CCE-90803-8
cce@sle12: CCE-83015-8
cce@sle15: CCE-85666-6
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
index 757ffe95f0e..6edd3480966 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80222-3
cce@rhel8: CCE-80904-6
+ cce@rhel9: CCE-90809-5
cce@sle12: CCE-83060-4
cce@sle15: CCE-85645-0
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index c2c045ceb48..b8c7e45edf0 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27314-4
cce@rhel8: CCE-80905-3
+ cce@rhel9: CCE-90807-9
cce@sle12: CCE-83066-1
cce@sle15: CCE-83263-4
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
index 886a03cdadd..d4a520437bb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80225-6
cce@rhel8: CCE-82281-7
+ cce@rhel9: CCE-90804-6
cce@sle12: CCE-83083-6
cce@sle15: CCE-85563-5
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index 84eb61830ff..a4f65562d73 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82177-7
+ cce@rhel9: CCE-90815-2
references:
ospp: FCS_SSHS_EXT.1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 7444e9680d1..7b49ebbbefb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27433-2
cce@rhel8: CCE-80906-1
+ cce@rhel9: CCE-90811-1
cce@rhcos4: CCE-82549-7
cce@sle12: CCE-83027-3
cce@sle15: CCE-83281-6
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index 3995cd8c4ad..5b08b3b93fb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27082-7
cce@rhel8: CCE-80907-9
+ cce@rhel9: CCE-90805-3
cce@rhcos4: CCE-82464-9
cce@sle12: CCE-83034-9
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
index 2f170a1a3c8..f6c57ccd113 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
@@ -21,6 +21,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80645-5
cce@rhel8: CCE-82282-5
+ cce@rhel9: CCE-90813-7
references:
cis@debian10: 9.3.2
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index c7aa0e8899e..806953fd3c8 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82354-2
cce@rhel8: CCE-83500-9
+ cce@rhel9: CCE-90810-3
references:
cis@debian9: 9.3.5
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
index 2782b71905a..a283a97f99a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83357-4
+ cce@rhel9: CCE-84103-1
references:
cis@rhel8: 5.2.19
diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
index 7202c3b73e7..88c5f0a0684 100644
--- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
+++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82168-6
+ cce@rhel9: CCE-84206-2
cce@rhcos4: CCE-82538-0
references:
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
index e7d3514efb0..dfc9d60d51c 100644
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -41,6 +41,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82960-6
cce@rhel8: CCE-82959-8
+ cce@rhel9: CCE-84203-9
cce@rhcos4: CCE-82524-0
references:
diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
index a111d010844..28136f33936 100644
--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
@@ -18,6 +18,7 @@ platform: machine
identifiers:
cce@rhel8: CCE-82853-3
+ cce@rhel9: CCE-84205-4
cce@rhcos4: CCE-82537-2
references:
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
index 49fbfceb390..2f54b61c9b0 100644
--- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82368-2
+ cce@rhel9: CCE-84210-4
cce@rhcos4: CCE-82539-8
references:
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index b1f1c590828..9c3e5853578 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27218-7
cce@rhel8: CCE-82757-6
+ cce@rhel9: CCE-84104-9
references:
cis@rhel7: 2.2.2
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
index 10d5efe93f4..d4ae55e76e3 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83410-1
cce@rhel8: CCE-83411-9
+ cce@rhel9: CCE-84106-4
references:
disa: CCI-000366
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
index e64ddd91807..4a33f52bb91 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27285-6
cce@rhel8: CCE-83380-6
+ cce@rhel9: CCE-84105-6
references:
disa: CCI-000366
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
index 8dde113ea69..42313d7861f 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -84,6 +84,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27303-7
cce@rhel8: CCE-80763-6
+ cce@rhel9: CCE-83557-9
cce@rhcos4: CCE-82555-4
cce@sle12: CCE-83054-7
cce@sle15: CCE-83262-6
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
index fcc47279783..bb74c68d893 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
@@ -51,6 +51,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83394-7
cce@rhel8: CCE-83496-0
+ cce@rhel9: CCE-83559-5
references:
cis@rhel7: 1.7.1.
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
index b30f8cde0f1..8bca4673c92 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83347-5
cce@rhel8: CCE-83348-3
+ cce@rhel9: CCE-83551-2
references:
cis@rhel7: 1.7.5
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
index 460cc2f5d95..bd29403c607 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83337-6
cce@rhel8: CCE-83338-4
+ cce@rhel9: CCE-83554-6
references:
cis@rhel7: 1.7.4
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
index 1662306b3a9..fc4f0e4b87d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
@@ -29,6 +29,7 @@ severity: low
identifiers:
cce@rhel7: CCE-27275-7
cce@rhel8: CCE-80788-3
+ cce@rhel9: CCE-83560-3
cce@sle12: CCE-83149-5
cce@sle15: CCE-85560-1
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index cb90c7ce004..98c5f2922be 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82030-8
cce@rhel8: CCE-80666-1
+ cce@rhel9: CCE-83584-3
cce@sle15: CCE-85678-1
references:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 37434a1f593..cee6c05fd97 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27350-8
cce@rhel8: CCE-80667-9
+ cce@rhel9: CCE-83587-6
references:
stigid@ol7: OL07-00-010320
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index da61edfad1f..a03264066f1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80353-6
cce@rhel8: CCE-80668-7
+ cce@rhel9: CCE-83589-2
references:
stigid@ol7: OL07-00-010330
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index 7dd0b99acf3..87026e13fb3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27297-1
cce@rhel8: CCE-80669-5
+ cce@rhel9: CCE-83583-5
references:
stigid@ol7: OL07-00-010320
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index 08902f5a931..2eb38a4ba6f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-26884-7
cce@rhel8: CCE-80670-3
+ cce@rhel9: CCE-83588-4
references:
stigid@ol7: OL07-00-010320
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
index c575ed1c153..b76cf3ad00c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27214-6
cce@rhel8: CCE-80653-9
+ cce@rhel9: CCE-83566-0
references:
stigid@ol7: OL07-00-010140
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
index 44f24e8cfb0..f0408f872b8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -32,6 +32,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82020-9
cce@rhel8: CCE-80654-7
+ cce@rhel9: CCE-83564-5
references:
stigid@ol7: OL07-00-010160
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
index 20361952d6b..245e97485a3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27345-8
cce@rhel8: CCE-80655-4
+ cce@rhel9: CCE-83570-2
references:
stigid@ol7: OL07-00-010130
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index a1eaf377d24..c2a456fabd4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27512-3
cce@rhel8: CCE-81034-1
+ cce@rhel9: CCE-83575-1
references:
stigid@ol7: OL07-00-010190
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
index b4fc71af15b..2ee715f20ce 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82055-5
cce@rhel8: CCE-82066-2
+ cce@rhel9: CCE-83567-8
references:
stigid@ol7: OL07-00-010180
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index 1738c4a07c0..509ba7d0f3b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -39,6 +39,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82045-6
cce@rhel8: CCE-82046-4
+ cce@rhel9: CCE-83563-7
references:
stigid@ol7: OL07-00-010170
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index 529799224b3..b395ce336e2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27293-0
cce@rhel8: CCE-80656-2
+ cce@rhel9: CCE-83579-3
references:
stigid@ol7: OL07-00-010280
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index 2f42a13c24b..3f64ac5fff7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27360-7
cce@rhel8: CCE-80663-8
+ cce@rhel9: CCE-83565-2
references:
stigid@ol7: OL07-00-010150
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index f1f65e3b03d..c1ef5e5f64d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27160-1
cce@rhel8: CCE-80664-6
+ cce@rhel9: CCE-83569-4
references:
stigid@ol7: OL07-00-010119
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
index a55c1b17003..33c60084985 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27200-5
cce@rhel8: CCE-80665-3
+ cce@rhel9: CCE-83568-6
references:
stigid@ol7: OL07-00-010120
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
index b0ecbd2bf1e..282c6182af8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -46,6 +46,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82043-1
cce@rhel8: CCE-80893-1
+ cce@rhel9: CCE-83581-9
cce@sle12: CCE-83184-2
cce@sle15: CCE-85565-0
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index bc8c0a224b1..91515fcda12 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82185-0
cce@rhel8: CCE-82186-8
+ cce@rhel9: CCE-83592-6
references:
stigid@rhel7: RHEL-07-010481
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 3dee04454c3..49e084358b2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27287-2
cce@rhel8: CCE-80855-0
+ cce@rhel9: CCE-83594-2
cce@rhcos4: CCE-82550-5
references:
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index b6f9df180ea..70f73ee2865 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82963-0
cce@rhel8: CCE-80644-8
+ cce@rhel9: CCE-83599-1
references:
cui: 3.1.10
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index 652e9287759..be1ca56f2da 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -38,6 +38,7 @@ identifiers:
cce@sle12: CCE-83177-6
cce@sle15: CCE-83292-3
cce@rhel8: CCE-84029-8
+ cce@rhel9: CCE-83596-7
references:
stigid@ol7: OL07-00-041001
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
index 5f8caa69b5e..dfcf1709d0d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80568-9
cce@rhel8: CCE-80846-9
+ cce@rhel9: CCE-83595-9
references:
disa: CCI-001954,CCI-001953
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
index 0c538123879..71c05cec2a7 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27355-7
cce@rhel8: CCE-80954-1
+ cce@rhel9: CCE-83627-0
cce@rhcos4: CCE-82695-8
cce@sle12: CCE-83051-3
cce@sle15: CCE-85558-5
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
index 6ef67acd5a1..4ef020cccff 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80208-2
cce@rhel8: CCE-80674-5
+ cce@rhel9: CCE-83628-8
references:
cjis: 5.5.2
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index 15486e55f95..e89543ee542 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27051-2
cce@rhel8: CCE-80647-1
+ cce@rhel9: CCE-83606-4
cce@sle12: CCE-83050-5
cce@sle15: CCE-85570-0
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 31cf2d2124c..3bb7d560c33 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82036-5
cce@rhel8: CCE-80648-9
+ cce@rhel9: CCE-83610-6
cce@sle12: CCE-83049-7
cce@sle15: CCE-85720-1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 4f316230045..6fc5842a7cb 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82049-8
cce@rhel8: CCE-80652-1
+ cce@rhel9: CCE-83608-0
references:
cjis: 5.6.2.1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
index 3b51e91d080..3cee41c8ab3 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82016-7
cce@rhel8: CCE-80671-1
+ cce@rhel9: CCE-83609-8
references:
cui: 3.5.8
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
index 0563b15fc4e..a018101e9fa 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27352-4
cce@rhel8: CCE-80651-3
+ cce@rhel9: CCE-83618-9
references:
cjis: 5.5.2
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index 71c7f51f1fd..e0219783963 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83402-8
cce@rhel8: CCE-83403-6
+ cce@rhel9: CCE-83615-5
references:
anssi: BP28(R32)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
index e4912d51154..36181c5b094 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83384-8
cce@rhel8: CCE-83386-3
+ cce@rhel9: CCE-83621-3
references:
anssi: BP28(R32)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
index 4f48f364505..97a37c42f91 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
@@ -14,6 +14,7 @@ severity: low
identifiers:
cce@rhel7: CCE-27503-2
cce@rhel8: CCE-80822-0
+ cce@rhel9: CCE-83613-0
references:
stigid@ol7: OL07-00-020300
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
index 4f0c5894d10..eb36cc54ff4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -24,6 +24,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27286-4
cce@rhel8: CCE-80841-0
+ cce@rhel9: CCE-83611-4
cce@rhcos4: CCE-82553-9
cce@sle12: CCE-83039-8
cce@sle15: CCE-85576-7
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
index f9799183e0c..126f2ba5645 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83388-9
cce@rhel8: CCE-83389-7
+ cce@rhel9: CCE-83616-3
references:
cis@rhel7: 6.2.4
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
index 1703c8b7ff4..12e9a1253e1 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82889-7
cce@rhel8: CCE-82890-5
+ cce@rhel9: CCE-83620-5
references:
cis@rhel7: 6.2.2
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
index 94ba6160154..102c4def630 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83390-5
cce@rhel8: CCE-84290-6
+ cce@rhel9: CCE-83612-2
references:
cis@rhel7: 6.2.3
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
index 9e9ac4a3d87..1781d30ce87 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80211-6
cce@rhel8: CCE-83444-0
+ cce@rhel9: CCE-83617-1
cce@rhcos4: CCE-82667-7
references:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
index 0174370d54c..4357fd62803 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
@@ -24,6 +24,7 @@ severity: high
identifiers:
cce@rhel7: CCE-82054-8
cce@rhel8: CCE-80649-7
+ cce@rhel9: CCE-83624-7
cce@rhcos4: CCE-82699-0
cce@sle12: CCE-83020-8
cce@sle15: CCE-85664-1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
index cf261e7dbc4..ee402c27798 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27294-8
cce@rhel8: CCE-80840-2
+ cce@rhel9: CCE-83625-4
cce@rhcos4: CCE-82698-2
references:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
index 65e41ca5c18..b82172844fd 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82015-9
cce@rhel8: CCE-80843-6
+ cce@rhel9: CCE-83623-9
cce@rhcos4: CCE-82697-4
cce@sle15: CCE-85672-4
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
index 1755f68c28e..0828e1c14e4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27268-2
cce@rhel8: CCE-80856-8
+ cce@rhel9: CCE-83622-1
references:
cui: '3.1.1,3.1.5'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
index e53917e4f22..3d04c7ec7ec 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27318-5
cce@rhel8: CCE-80864-2
+ cce@rhel9: CCE-83626-2
references:
cui: '3.1.1,3.1.5'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index d1da3b69637..c5696d27985 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -17,6 +17,7 @@ identifiers:
cce@rhel7: CCE-80352-8
cce@sle12: CCE-83028-1
cce@rhel8: CCE-84037-1
+ cce@rhel9: CCE-83635-3
references:
stigid@ol7: OL07-00-010430
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index 50ae13a1df7..dfc5836d665 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -20,6 +20,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82041-5
cce@rhel8: CCE-80955-8
+ cce@rhel9: CCE-83641-1
cce@sle12: CCE-83065-3
cce@sle15: CCE-85555-1
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
index abe3c4e82a8..74e0ee3261e 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-83731-0
cce@rhel8: CCE-83732-8
+ cce@rhel9: CCE-90827-7
references:
anssi: BP28(R39)
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
index 5ded3a505f8..312a2ab6987 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-83777-3
cce@rhel8: CCE-83778-1
+ cce@rhel9: CCE-83642-9
references:
anssi: BP28(R39)
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index 5130296ad98..4c890a9ed9f 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27557-8
cce@rhel8: CCE-80673-7
+ cce@rhel9: CCE-83633-8
cce@sle12: CCE-83011-7
cce@sle15: CCE-83269-1
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index ac541680fa7..bd075ed358c 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80529-1
cce@rhel8: CCE-83424-2
+ cce@rhel9: CCE-83639-5
cce@sle12: CCE-83074-5
cce@sle15: CCE-85628-6
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 237e7e86c12..bfd92f73cfe 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80532-5
cce@rhel8: CCE-83434-1
+ cce@rhel9: CCE-83629-6
cce@sle12: CCE-83096-8
cce@sle15: CCE-85711-0
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
index 044118cbdcd..722603ca78c 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@sle12: CCE-83097-6
cce@sle15: CCE-85630-2
cce@rhel8: CCE-84043-9
+ cce@rhel9: CCE-83637-9
references:
stigid@ol7: OL07-00-020710
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
index e070fdb6669..6f2e53f38da 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@sle12: CCE-83076-0
cce@sle15: CCE-85629-4
cce@rhel8: CCE-84038-9
+ cce@rhel9: CCE-83634-6
references:
stigid@ol7: OL07-00-020630
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
index f3b68707cb0..95e67220245 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80201-7
cce@rhel8: CCE-84274-0
+ cce@rhel9: CCE-83638-7
references:
disa: CCI-000225
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
index 73ebb701cc8..1f09ce4d10e 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80200-9
cce@rhel8: CCE-80672-9
+ cce@rhel9: CCE-83643-7
references:
disa: CCI-000366
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index d9afad723ef..3ddbc2272db 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80202-5
cce@rhel8: CCE-81036-6
+ cce@rhel9: CCE-83644-5
cce@rhcos4: CCE-84260-9
references:
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 99c7f274bd5..e4f7690f9c7 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80205-8
cce@rhel8: CCE-82888-9
+ cce@rhel9: CCE-83647-8
cce@sle12: CCE-83052-1
cce@sle15: CCE-85659-1
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
index 2ccc8b93149..e2531c67eb5 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
@@ -17,6 +17,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80204-1
cce@rhel8: CCE-81035-8
+ cce@rhel9: CCE-90828-5
cce@rhcos4: CCE-84262-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
index 7f4367ca2e8..826c83f6026 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27339-1
cce@rhel8: CCE-80685-1
+ cce@rhel9: CCE-83830-0
cce@rhcos4: CCE-82556-2
cce@sle12: CCE-83106-5
cce@sle15: CCE-85693-0
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
index a5f3f15bf35..05a2bb66ee9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27364-9
cce@rhel8: CCE-80686-9
+ cce@rhel9: CCE-83812-8
cce@rhcos4: CCE-82557-0
cce@sle12: CCE-83137-0
cce@sle15: CCE-85690-6
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index 48f1016a4c7..11c083e8cc1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27393-8
cce@rhel8: CCE-80687-7
+ cce@rhel9: CCE-83832-6
cce@rhcos4: CCE-82558-8
cce@sle12: CCE-83133-9
cce@sle15: CCE-85694-8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index b1da8c2e2d9..43a95de5a29 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27388-8
cce@rhel8: CCE-80688-5
+ cce@rhel9: CCE-83822-7
cce@rhcos4: CCE-82559-6
cce@sle12: CCE-83132-1
cce@sle15: CCE-85695-5
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index 4688f94c29e..5499a793840 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -32,6 +32,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27356-5
cce@rhel8: CCE-80689-3
+ cce@rhel9: CCE-83829-2
cce@rhcos4: CCE-82560-4
cce@sle12: CCE-83136-2
cce@sle15: CCE-85721-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index 94bf93b456e..6ac0c29bb8b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27387-0
cce@rhel8: CCE-80690-1
+ cce@rhel9: CCE-83831-8
cce@rhcos4: CCE-82561-2
cce@sle12: CCE-83134-7
cce@sle15: CCE-85692-2
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index 6c6490cec14..2c57c277664 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -34,6 +34,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27353-2
cce@rhel8: CCE-80691-9
+ cce@rhel9: CCE-83821-9
cce@rhcos4: CCE-82562-0
cce@sle12: CCE-83138-8
cce@sle15: CCE-85686-4
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index f8d076876e0..bbb177ebd9a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27389-6
cce@rhel8: CCE-80692-7
+ cce@rhel9: CCE-83817-7
cce@rhcos4: CCE-82563-8
cce@sle12: CCE-83141-2
cce@sle15: CCE-85688-0
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index 746f5b38f70..2682b06a4ba 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27083-5
cce@rhel8: CCE-80693-5
+ cce@rhel9: CCE-83833-4
cce@rhcos4: CCE-82564-6
cce@sle12: CCE-83135-4
cce@sle15: CCE-85691-4
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index cada76ea71f..c5b7f0a4b1a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -34,6 +34,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27410-0
cce@rhel8: CCE-80694-3
+ cce@rhel9: CCE-83814-4
cce@rhcos4: CCE-82565-3
cce@sle12: CCE-83139-6
cce@sle15: CCE-85685-6
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 7b8a48e4295..ccc2520da57 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27280-7
cce@rhel8: CCE-80695-0
+ cce@rhel9: CCE-83808-6
cce@rhcos4: CCE-82566-1
cce@sle15: CCE-85689-8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 839857dfbbe..89895b2802c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27367-2
cce@rhel8: CCE-80696-8
+ cce@rhel9: CCE-83807-8
cce@rhcos4: CCE-82567-9
cce@sle12: CCE-83140-4
cce@sle15: CCE-85684-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 413b11ebcc3..83511fa4bcf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27213-8
cce@rhel8: CCE-80697-6
+ cce@rhel9: CCE-83811-0
cce@rhcos4: CCE-82568-7
cce@sle12: CCE-83142-0
cce@sle15: CCE-85687-2
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
index 0972a0a04ef..f94d9209106 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
@@ -41,6 +41,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80393-2
cce@rhel8: CCE-80698-4
+ cce@rhel9: CCE-83748-4
cce@rhcos4: CCE-82569-5
cce@sle12: CCE-83215-4
cce@sle15: CCE-85716-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
index 4b199b8bca6..8c8a39007cb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80394-0
cce@rhel8: CCE-80699-2
+ cce@rhel9: CCE-83749-2
cce@rhcos4: CCE-82570-3
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
index 673bdaf3e2a..6280105ce22 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80391-6
cce@rhel8: CCE-80700-8
+ cce@rhel9: CCE-83750-0
cce@rhcos4: CCE-82571-1
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
index 0440dc51191..dfbfce4df9a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80660-4
cce@rhel8: CCE-82280-9
+ cce@rhel9: CCE-83736-9
cce@rhcos4: CCE-82572-9
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
index 894b1e83fcd..773c1829179 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80392-4
cce@rhel8: CCE-80701-6
+ cce@rhel9: CCE-83751-8
cce@rhcos4: CCE-82573-7
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
index 80dc8e2825a..f616cc6940e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82362-5
cce@rhel8: CCE-80933-5
+ cce@rhel9: CCE-83746-8
cce@rhcos4: CCE-82574-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
index ae2fc418856..453f4ab4354 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27206-2
cce@rhel8: CCE-80702-4
+ cce@rhel9: CCE-83752-6
references:
cis@rhel7: 4.1.14
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
index 237403a21c8..1c2149fae72 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80995-4
cce@rhel8: CCE-80703-2
+ cce@rhel9: CCE-83754-2
cce@rhcos4: CCE-82575-2
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
index f8ee193dbfa..5dfc167e34d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80413-8
cce@rhel8: CCE-80704-0
+ cce@rhel9: CCE-83756-7
cce@rhcos4: CCE-82576-0
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
index 7061949cbe2..49f5c093061 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80412-0
cce@rhel8: CCE-80705-7
+ cce@rhel9: CCE-83758-3
cce@rhcos4: CCE-82577-8
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
index 5b4677af2bc..80f1483e895 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80996-2
cce@rhel8: CCE-80706-5
+ cce@rhel9: CCE-83757-5
cce@rhcos4: CCE-82578-6
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
index f0eb0092d79..b6a1a10f75f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80662-0
cce@rhel8: CCE-80707-3
+ cce@rhel9: CCE-83755-9
cce@rhcos4: CCE-82579-4
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
index 2a8763f30b4..7454775a900 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
@@ -35,6 +35,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27347-4
cce@rhel8: CCE-80750-3
+ cce@rhel9: CCE-83793-0
references:
cjis: 5.4.1.1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index 648095bb69f..27423e6deaf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -35,6 +35,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80385-8
cce@rhel8: CCE-80751-1
+ cce@rhel9: CCE-83786-4
cce@rhcos4: CCE-82621-4
cce@sle12: CCE-83092-7
cce@sle15: CCE-85681-5
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index 5f4e10fc1ac..3391cd44a3d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80390-8
cce@rhel8: CCE-80752-9
+ cce@rhel9: CCE-83800-3
cce@rhcos4: CCE-82629-7
cce@sle12: CCE-83091-9
cce@sle15: CCE-85696-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 5761374a4f8..7c9441884d3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80386-6
cce@rhel8: CCE-80753-7
+ cce@rhel9: CCE-83801-1
cce@rhcos4: CCE-82633-9
cce@sle12: CCE-83131-3
cce@sle15: CCE-85680-7
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index 7cf89f50dde..4b4c259cd63 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -35,6 +35,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80388-2
cce@rhel8: CCE-80755-2
+ cce@rhel9: CCE-83796-3
cce@rhcos4: CCE-82640-4
cce@sle12: CCE-83094-3
cce@sle15: CCE-85683-1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index a4b9c22956c..7b44a725d6f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80387-4
cce@rhel8: CCE-80754-5
+ cce@rhel9: CCE-83794-8
cce@rhcos4: CCE-82634-7
cce@sle12: CCE-83093-5
cce@sle15: CCE-85682-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
index f0ac52a2ab9..899c453b947 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80389-0
cce@rhel8: CCE-80756-0
+ cce@rhel9: CCE-83792-2
cce@rhcos4: CCE-82651-1
cce@sle12: CCE-83085-1
cce@sle15: CCE-85608-8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
index 446766d0e50..35cb29e095f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27129-6
cce@rhel8: CCE-80709-9
+ cce@rhel9: CCE-83804-5
references:
cis@rhel7: 4.1.17
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
index d8ce90bf575..c96fbb705c8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80415-3
cce@rhel8: CCE-80711-5
+ cce@rhel9: CCE-83802-9
cce@rhcos4: CCE-82580-2
cce@sle12: CCE-83128-9
cce@sle15: CCE-85748-2
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index cf4dea7a588..43b487f06b3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80547-3
cce@rhel8: CCE-80712-3
+ cce@rhel9: CCE-83803-7
cce@rhcos4: CCE-82581-0
cce@sle12: CCE-83129-7
cce@sle15: CCE-85749-0
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
index b84eb7c5593..150ae82de02 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80414-6
cce@rhel8: CCE-80713-1
+ cce@rhel9: CCE-90835-0
cce@rhcos4: CCE-82582-8
cce@sle12: CCE-83130-5
cce@sle15: CCE-85750-8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
index bb7d9672a55..e54d1c98fa3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
@@ -31,6 +31,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27204-7
cce@rhel8: CCE-80717-2
+ cce@rhel9: CCE-83784-9
references:
cjis: 5.4.1.1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
index e59377bf222..a196008d371 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80383-3
cce@rhel8: CCE-80718-0
+ cce@rhel9: CCE-83783-1
cce@rhcos4: CCE-82583-6
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
index 9c2bd1eac7e..b83e36f9844 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80384-1
cce@rhel8: CCE-80719-8
+ cce@rhel9: CCE-83785-6
cce@rhcos4: CCE-82584-4
cce@sle12: CCE-83108-1
cce@sle15: CCE-85598-1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
index 50cbffd31a3..0f5c73acfd9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80994-7
cce@rhel8: CCE-80720-6
+ cce@rhel9: CCE-83782-3
cce@rhcos4: CCE-82585-1
cce@sle12: CCE-83107-3
cce@sle15: CCE-85597-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
index cf997bbcf4a..32731527a24 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
@@ -39,6 +39,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27437-3
cce@rhel8: CCE-80724-8
+ cce@rhel9: CCE-83759-1
cce@rhcos4: CCE-82589-3
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
index dcfbe5de239..92fc399b45c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80398-1
cce@rhel8: CCE-80725-5
+ cce@rhel9: CCE-83765-8
cce@rhcos4: CCE-82591-9
cce@sle12: CCE-83110-7
cce@sle15: CCE-85587-4
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
index 43d151984d8..bf559c8fad2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80404-7
cce@rhel8: CCE-80726-3
+ cce@rhel9: CCE-83763-3
cce@rhcos4: CCE-82592-7
cce@sle12: CCE-83163-6
cce@sle15: CCE-85586-6
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index cdbcd540e15..483c8fb4e84 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80410-4
cce@rhel8: CCE-80727-1
+ cce@rhel9: CCE-83761-7
cce@rhcos4: CCE-82593-5
cce@sle12: CCE-83126-3
cce@sle15: CCE-85588-2
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
index 64ebb4b3274..ec514df8a96 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80397-3
cce@rhel8: CCE-80728-9
+ cce@rhel9: CCE-83773-2
cce@rhcos4: CCE-82594-3
cce@sle12: CCE-83161-0
cce@sle15: CCE-85584-1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
index a7b1ab0a6f3..f6b09b92430 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80403-9
cce@rhel8: CCE-80729-7
+ cce@rhel9: CCE-83766-6
cce@rhcos4: CCE-82597-6
cce@sle12: CCE-83162-8
cce@sle15: CCE-85585-8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index c113d75ffb8..cf5804a4eb0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -41,6 +41,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80411-2
cce@rhel8: CCE-80730-5
+ cce@rhel9: CCE-83767-4
cce@rhcos4: CCE-82599-2
cce@sle12: CCE-83127-1
cce@sle15: CCE-85601-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index df3e1b83dce..6c76998b4e5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80395-7
cce@rhel8: CCE-80731-3
+ cce@rhel9: CCE-83781-5
cce@rhcos4: CCE-82600-8
cce@sle12: CCE-83160-2
cce@sle15: CCE-85583-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
index 6316f31e664..843c42e8c00 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80406-2
cce@rhel8: CCE-80732-1
+ cce@rhel9: CCE-83769-0
cce@rhcos4: CCE-82601-6
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
index 528018fe8a9..6ab088d9adb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80407-0
cce@rhel8: CCE-80733-9
+ cce@rhel9: CCE-83770-8
cce@rhcos4: CCE-82602-4
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index d32a3c45662..1fdfcda2c17 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80408-8
cce@rhel8: CCE-80735-4
+ cce@rhel9: CCE-83776-5
cce@rhcos4: CCE-82604-0
cce@sle12: CCE-83159-4
cce@sle15: CCE-85582-5
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index bcb50c6b080..592d53e37ff 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80400-5
cce@rhel8: CCE-80736-2
+ cce@rhel9: CCE-83771-6
cce@rhcos4: CCE-82605-7
cce@sle12: CCE-83143-8
cce@sle15: CCE-85602-1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index 83775fefe5f..759bbbfdda0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80401-3
cce@rhel8: CCE-80737-0
+ cce@rhel9: CCE-83780-7
cce@rhcos4: CCE-82606-5
cce@sle12: CCE-83144-6
cce@sle15: CCE-85603-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
index 6f8ed9f3163..45f851653cd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80402-1
cce@rhel8: CCE-80738-8
+ cce@rhel9: CCE-83764-1
cce@rhcos4: CCE-82607-3
cce@sle15: CCE-85717-7
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index abf9d895013..db04572f95a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80405-4
cce@rhel8: CCE-80739-6
+ cce@rhel9: CCE-83762-5
cce@rhcos4: CCE-82608-1
cce@sle12: CCE-83158-6
cce@sle15: CCE-85734-2
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index f1b9dd19237..b3a13b54621 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80396-5
cce@rhel8: CCE-80740-4
+ cce@rhel9: CCE-83768-2
cce@rhcos4: CCE-82609-9
cce@sle12: CCE-83109-9
cce@sle15: CCE-85727-6
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
index 8d92480f717..e32b43bb00d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80399-9
cce@rhel8: CCE-80741-2
+ cce@rhel9: CCE-83760-9
cce@rhcos4: CCE-82610-7
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
index f42bcf1a18c..e37327bf154 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27097-5
cce@rhel8: CCE-80708-1
+ cce@rhel9: CCE-83716-1
cce@rhcos4: CCE-82668-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
index 3567507042f..bce6d2534dd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27168-4
cce@rhel8: CCE-80721-4
+ cce@rhel9: CCE-83721-1
cce@rhcos4: CCE-82586-9
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
index 883b19d998e..ec97d311975 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27447-2
cce@rhel8: CCE-80722-2
+ cce@rhel9: CCE-83735-1
cce@rhcos4: CCE-82587-7
cce@sle12: CCE-83217-0
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
index 134cc80a7d4..7f354a63867 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27076-9
cce@rhel8: CCE-80723-0
+ cce@rhel9: CCE-83706-2
cce@rhcos4: CCE-82588-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
index ddaa1f504b1..a0a232d14b0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27301-1
cce@rhel8: CCE-80742-0
+ cce@rhel9: CCE-83713-8
cce@rhcos4: CCE-82612-3
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
index b1d13fba2b8..4e095e9fcce 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27461-3
cce@rhel8: CCE-80743-8
+ cce@rhel9: CCE-83729-4
cce@rhcos4: CCE-82613-1
cce@sle15: CCE-85679-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
index 18ee888a8e6..240b0dcff30 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80997-0
cce@rhel8: CCE-80744-6
+ cce@rhel9: CCE-83709-6
references:
stigid@ol7: OL07-00-030010
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
index a09d23f6dff..f0580448f18 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
@@ -34,6 +34,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27192-4
cce@rhel8: CCE-80757-8
+ cce@rhel9: CCE-83715-3
references:
stigid@ol7: OL07-00-030710
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
index f4f5820b617..1fab77b25f3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80433-6
cce@rhel8: CCE-80758-6
+ cce@rhel9: CCE-83722-9
cce@rhcos4: CCE-82654-5
cce@sle12: CCE-83121-4
cce@sle15: CCE-85578-3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
index 3f48685b35b..889d3bf1c79 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80432-8
cce@rhel8: CCE-80759-4
+ cce@rhel9: CCE-83723-7
cce@rhcos4: CCE-82655-2
cce@sle12: CCE-83095-0
cce@sle15: CCE-85580-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
index 5e3eba4b3f5..d4cc22ee1a1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80430-2
cce@rhel8: CCE-80760-2
+ cce@rhel9: CCE-83712-0
cce@rhcos4: CCE-82656-0
cce@sle12: CCE-83123-0
cce@sle15: CCE-85728-4
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
index 0c545fd0c66..6930d0d20be 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80435-1
cce@rhel8: CCE-80761-0
+ cce@rhel9: CCE-83714-6
cce@rhcos4: CCE-82657-8
cce@sle12: CCE-83120-6
cce@sle15: CCE-85577-5
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
index d4763ca4709..32b597820c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80431-0
cce@rhel8: CCE-80762-8
+ cce@rhel9: CCE-83725-2
cce@rhcos4: CCE-82658-6
cce@sle12: CCE-83122-2
cce@sle15: CCE-85579-1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
index 3e369f14489..290913884b6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27290-6
cce@rhel8: CCE-80745-3
+ cce@rhel9: CCE-83840-9
cce@rhcos4: CCE-82614-9
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
index f8ef91a5182..e2bd099a151 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27219-5
cce@rhel8: CCE-80746-1
+ cce@rhel9: CCE-83837-5
cce@rhcos4: CCE-82615-6
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
index f457fba8061..8a0488d8e3d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27216-1
cce@rhel8: CCE-80747-9
+ cce@rhel9: CCE-83836-7
cce@rhcos4: CCE-82616-4
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
index b8b6fbe6db2..65de17e8dee 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27299-7
cce@rhel8: CCE-80748-7
+ cce@rhel9: CCE-83835-9
cce@rhcos4: CCE-82617-2
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
index 37d51535902..063725a1aee 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27310-2
cce@rhel8: CCE-80749-5
+ cce@rhel9: CCE-83839-1
cce@rhcos4: CCE-82618-0
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
index 2c869dfb128..c13c8fb13c2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhcos4: CCE-82692-5
cce@rhel8: CCE-84048-8
+ cce@rhel9: CCE-83734-4
references:
nist: CM-6(a),AC-6(1),AU-9
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
index e495992ecb6..3d2ae4eb21c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80125-8
cce@rhel8: CCE-80808-9
+ cce@rhel9: CCE-83726-0
cce@rhcos4: CCE-82691-7
references:
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
index f9ce395716c..d1f109a7312 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27205-4
cce@rhel8: CCE-80819-6
+ cce@rhel9: CCE-83720-3
cce@rhcos4: CCE-82690-9
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
index c42c90a8254..ed31e661e58 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27341-7
cce@rhel8: CCE-80677-8
+ cce@rhel9: CCE-83695-7
references:
cjis: 5.4.1.1
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
index f1102676c58..57e98a96963 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel7: CCE-80646-3
cce@rhcos4: CCE-82679-2
cce@rhel8: CCE-84046-2
+ cce@rhel9: CCE-83690-8
references:
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
index fd3aff398c6..77a56c9928d 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
@@ -29,6 +29,7 @@ identifiers:
cce@sle12: CCE-83032-3
cce@sle15: CCE-85606-2
cce@rhel8: CCE-84045-4
+ cce@rhel9: CCE-83684-1
references:
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
index 114363370cd..f7e1eed913a 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27394-6
cce@rhel8: CCE-80678-6
+ cce@rhel9: CCE-83698-1
cce@rhcos4: CCE-82675-0
cce@sle12: CCE-83030-7
cce@sle15: CCE-85604-7
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
index c6ce1adb653..98822fb7a92 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27370-6
cce@rhel8: CCE-80679-4
+ cce@rhel9: CCE-83700-5
cce@rhcos4: CCE-82677-6
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
index 6d100796619..7087dd536e1 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27331-8
cce@rhel8: CCE-80680-2
+ cce@rhel9: CCE-83685-8
cce@rhcos4: CCE-82508-3
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
index d825f887f04..18a83773926 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27319-3
cce@rhel8: CCE-80681-0
+ cce@rhel9: CCE-83683-3
cce@rhcos4: CCE-82694-1
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
index ef32b8dda40..ac486f9fdee 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27231-0
cce@rhel8: CCE-80682-8
+ cce@rhel9: CCE-83701-3
cce@rhcos4: CCE-82680-0
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
index dbaa3c76e18..8618a85c6d7 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27348-2
cce@rhel8: CCE-80683-6
+ cce@rhel9: CCE-83688-2
cce@rhcos4: CCE-82693-3
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
index 0700e4881d2..6babd3b3a01 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
@@ -31,6 +31,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27375-5
cce@rhel8: CCE-80684-4
+ cce@rhel9: CCE-83703-9
cce@rhcos4: CCE-82678-4
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
index 3f6cc973db0..56f618c99ae 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82358-3
cce@rhel8: CCE-82258-5
+ cce@rhel9: CCE-83704-7
cce@rhcos4: CCE-82512-5
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
index ad5a39d3c90..5df38381c28 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82355-9
cce@rhel8: CCE-82233-8
+ cce@rhel9: CCE-83682-5
cce@rhcos4: CCE-82509-1
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
index 407e33433cd..1f3280507e3 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82357-5
cce@rhel8: CCE-82201-5
+ cce@rhel9: CCE-83696-5
cce@rhcos4: CCE-82511-7
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
index a778d5faf28..3557e8b79f8 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82359-1
cce@rhel8: CCE-82897-0
+ cce@rhel9: CCE-83686-6
cce@rhcos4: CCE-82513-3
references:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
index 0becb1671ce..24207420764 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82356-7
cce@rhel8: CCE-82366-6
+ cce@rhel9: CCE-83705-4
cce@rhcos4: CCE-82510-9
references:
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 9f8823ad464..6408818fb8a 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27212-0
cce@rhel8: CCE-80825-3
+ cce@rhel9: CCE-83651-0
references:
cis@rhel7: 4.1.3
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index aab1e2f8cff..3a93dc412b4 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82156-1
cce@rhel8: CCE-80943-4
+ cce@rhel9: CCE-83652-8
references:
srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132
diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
index 6d96d340a33..85ba222d616 100644
--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82954-9
cce@rhel8: CCE-82953-1
+ cce@rhel9: CCE-83648-6
references:
srg: SRG-OS-000342-GPOS-00133
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
index ac1da528ee6..3cbc735f963 100644
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -11,6 +11,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81042-4
cce@rhel8: CCE-81043-2
+ cce@rhel9: CCE-83649-4
cce@rhcos4: CCE-82669-3
cce@sle12: CCE-83023-2
cce@sle15: CCE-85612-0
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
index a0d856b023b..1d415ae973b 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
@@ -31,6 +31,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82833-5
+ cce@rhel9: CCE-83672-6
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
index 6f79a5cf04a..dc2ff4236fa 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
@@ -36,6 +36,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82834-3
+ cce@rhel9: CCE-83653-6
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
index bd5d6455351..84f064eb799 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
@@ -44,6 +44,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82827-7
+ cce@rhel9: CCE-83670-0
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
index b2f731d11ba..6af306aa0aa 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
@@ -44,6 +44,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82374-0
+ cce@rhel9: CCE-83669-2
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
index a03a7f3b715..cfb737d4452 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82829-3
+ cce@rhel9: CCE-83668-4
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
index d4bd88e6cfc..4436051f808 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
@@ -36,6 +36,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82835-0
+ cce@rhel9: CCE-83667-6
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
index 6c05a736e39..2bf582dd53f 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
@@ -35,6 +35,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82836-8
+ cce@rhel9: CCE-83680-9
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index 34e9fc134e0..18514ecff5a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -32,6 +32,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82828-5
+ cce@rhel9: CCE-83673-4
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
index 2d0f7cf9da3..81493843494 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
@@ -44,6 +44,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82830-1
+ cce@rhel9: CCE-83671-8
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
index 28045878a69..45fa2df7aa7 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
@@ -39,6 +39,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82832-7
+ cce@rhel9: CCE-83681-7
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
index d764e384ea2..261cd4ef445 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
@@ -36,6 +36,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82838-4
+ cce@rhel9: CCE-90814-5
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
index 0a41ece25fc..aef687ae110 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
@@ -116,6 +116,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82373-2
+ cce@rhel9: CCE-83655-1
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
index a95c0146b11..47c31aeee19 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
@@ -37,6 +37,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82384-9
+ cce@rhel9: CCE-83675-9
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
index 4133eb193f2..5a6792c5f1b 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82385-6
+ cce@rhel9: CCE-83658-5
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
index 47f248a2b36..f83c888b928 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
@@ -36,6 +36,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82837-6
+ cce@rhel9: CCE-83676-7
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
index 5017b17849b..8bd5d90049a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
@@ -35,6 +35,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82383-1
+ cce@rhel9: CCE-83678-3
references:
ospp: FAU_GEN.1.1.c
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
index 19421f40ade..112bda557df 100644
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -26,6 +26,7 @@ requires:
identifiers:
cce@rhel7: CCE-27407-6
cce@rhel8: CCE-80872-5
+ cce@rhel9: CCE-90829-3
cce@rhcos4: CCE-82463-1
cce@sle12: CCE-83024-0
cce@sle15: CCE-85581-7
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index c1f77e21c36..0a0d76aeb23 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -15,6 +15,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-82351-8
cce@rhel8: CCE-83920-9
+ cce@rhel9: CCE-83844-1
references:
anssi: BP28(R11)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
index 03f56b8031d..308ae9cb735 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83314-5
+ cce@rhel9: CCE-83841-7
references:
ospp: FCS_RBG_EXT.1.1
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index f186b1ae6e7..7a8d228ddc3 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -21,6 +21,7 @@ severity: high
identifiers:
cce@rhel8: CCE-82194-2
+ cce@rhel9: CCE-83843-3
references:
srg: SRG-OS-000433-GPOS-00193,SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index 0b5873c56a2..f82c1648315 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82159-5
cce@rhel8: CCE-80946-7
+ cce@rhel9: CCE-83842-5
references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
index 38f33d1812a..28132401b0e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82023-3
cce@rhel8: CCE-80800-6
+ cce@rhel9: CCE-83848-2
references:
cis@rhel7: 1.4.2
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
index 80c53fdd4b0..70ebc483f25 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82026-6
cce@rhel8: CCE-80805-5
+ cce@rhel9: CCE-83845-8
references:
cis@rhel7: 1.4.2
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
index 6564de998e2..d3ee73725d8 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82039-9
cce@rhel8: CCE-80814-7
+ cce@rhel9: CCE-83846-6
references:
cis@rhel7: 1.4.2
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 795230dcbec..89b29fc27d4 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -43,6 +43,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27309-4
cce@rhel8: CCE-80828-7
+ cce@rhel9: CCE-83849-0
cce@sle12: CCE-83044-8
cce@sle15: CCE-83274-1
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 987a42d31ec..d342163b6c0 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83321-0
+ cce@rhel9: CCE-84096-7
ocil_clause: 'auditing is not enabled at boot time'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index cfb8c08f31d..c37fbcb9ba1 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83341-8
+ cce@rhel9: CCE-84099-1
ocil_clause: 'audit backlog limit is not configured'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index b8b025f74f4..56b634d4b19 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83485-3
+ cce@rhel9: CCE-84092-6
ocil_clause: 'a non BLS boot entry is configured'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index c8133e19ab4..6c7e3396553 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83486-1
+ cce@rhel9: CCE-84098-3
ocil_clause: 'the bootmap is outdated'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index c626f6188cd..0cd61ae2f53 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83351-7
+ cce@rhel9: CCE-84101-5
ocil_clause: 'page allocator poisoning is not enabled'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index d266165cddc..df0f6c3ee98 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83371-5
+ cce@rhel9: CCE-84094-2
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 387f7f13850..52b192ffc52 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83381-4
+ cce@rhel9: CCE-84100-7
ocil_clause: 'vsyscalls are enabled'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
index 7d78a6963c2..569c0371ec3 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80380-9
cce@rhel8: CCE-80859-2
+ cce@rhel9: CCE-83994-4
references:
stigid@ol7: OL07-00-021100
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
index c2e28da36f8..b734c694779 100644
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80195-1
cce@rhel8: CCE-80794-1
+ cce@rhel9: CCE-83993-6
cce@rhcos4: CCE-82689-1
references:
diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
index afa2afd6671..62982ff8a94 100644
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82859-0
+ cce@rhel9: CCE-83987-8
references:
ospp: FTP_ITC_EXT.1.1
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
index e5c90880a27..8ded536b23e 100644
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80192-8
cce@rhel8: CCE-84275-7
+ cce@rhel9: CCE-83995-1
references:
stigid@ol7: OL07-00-031010
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index bf8e746aac9..1bb9f3625e7 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -38,6 +38,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27343-3
cce@rhel8: CCE-80863-4
+ cce@rhel9: CCE-83990-2
cce@sle12: CCE-83180-0
cce@sle15: CCE-85552-8
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
index 2f908980994..6bfe1524ce5 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82457-3
+ cce@rhel9: CCE-83991-0
references:
nist: AU-9(3),CM-6(a)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
index 801684102fe..2398c0317a7 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82458-1
+ cce@rhel9: CCE-83992-8
references:
ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
index 8b88773f0ff..7298262fe52 100644
--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80188-6
cce@rhel8: CCE-80886-5
+ cce@rhel9: CCE-83989-4
references:
anssi: BP28(R5),NT28(R46)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
index fc79c5f06e8..b9ce05776a1 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82999-4
cce@rhel8: CCE-82998-6
+ cce@rhel9: CCE-84021-5
cce@rhcos4: CCE-82521-6
cce@sle15: CCE-85698-9
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
index b4afabb15fd..7003d666198 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80998-8
cce@rhel8: CCE-80877-4
+ cce@rhel9: CCE-90833-5
cce@rhcos4: CCE-82554-7
cce@sle15: CCE-85751-6
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
index 636e30e3e1f..51848fc19f4 100644
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27349-0
cce@rhel8: CCE-80890-7
+ cce@rhel9: CCE-84023-1
references:
stigid@ol7: OL07-00-040810
diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
index 20e5f729460..e8e06e5b2b4 100644
--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80170-4
cce@rhel8: CCE-80845-1
+ cce@rhel9: CCE-84068-6
cce@rhcos4: CCE-82525-7
references:
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
index 43fd69a2003..5d0fc56b27a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80180-3
cce@rhel8: CCE-81006-9
+ cce@rhel9: CCE-84120-5
cce@rhcos4: CCE-82467-2
references:
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
index ba9182b87a0..979201fc23a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84271-6
cce@rhel8: CCE-84272-4
+ cce@rhel9: CCE-84115-5
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
index a7a0c007b0b..d430df13480 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84279-9
cce@rhel8: CCE-84280-7
+ cce@rhel9: CCE-84122-1
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
index 909e8cfcfbd..8c009414d35 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84287-2
cce@rhel8: CCE-84288-0
+ cce@rhel9: CCE-84111-4
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
index 8d92c0fec29..66826772a68 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80182-9
cce@rhel8: CCE-81009-3
+ cce@rhel9: CCE-84125-4
cce@rhcos4: CCE-82471-4
cce@sle15: CCE-85708-6
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index bf9263a67a8..a77d1f4a21e 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80179-5
cce@rhel8: CCE-81013-5
+ cce@rhel9: CCE-84131-2
cce@rhcos4: CCE-82480-5
cce@sle12: CCE-83078-6
cce@sle15: CCE-85649-2
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
index 7f4cf1b36cc..d0b011dd892 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84265-8
cce@rhel8: CCE-84266-6
+ cce@rhel9: CCE-84126-2
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
index 0f4330678ac..447e9533a56 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80356-9
cce@rhel8: CCE-82863-2
+ cce@rhel9: CCE-84114-8
cce@sle15: CCE-85713-6
references:
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
index 1478ffb0438..038d4b2efbf 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
@@ -15,6 +15,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84258-3
cce@rhel8: CCE-84259-1
+ cce@rhel9: CCE-84112-2
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
index 70081798a18..697718eef25 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84281-5
cce@rhel8: CCE-84109-8
+ cce@rhel9: CCE-84128-8
references:
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
index 0bbf39499bf..3736a8c934d 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80181-1
cce@rhel8: CCE-81007-7
+ cce@rhel9: CCE-84124-7
cce@rhcos4: CCE-82468-0
references:
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
index ebd596f9688..2da8c426314 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84267-4
cce@rhel8: CCE-84268-2
+ cce@rhel9: CCE-84116-3
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
index 18882c3a826..2865601da80 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84273-2
cce@rhel8: CCE-84051-2
+ cce@rhel9: CCE-84118-9
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
index b0b27f379f5..6de9820b44a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84289-8
cce@rhel8: CCE-84291-4
+ cce@rhel9: CCE-84121-3
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
index 49d92c2a763..8f55e1ecf4a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80183-7
cce@rhel8: CCE-81010-1
+ cce@rhel9: CCE-84113-0
cce@rhcos4: CCE-82477-1
cce@sle15: CCE-85722-7
cce@sle12: CCE-83223-8
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
index 3f81bf20f53..a5c911aec64 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80355-1
cce@rhel8: CCE-81015-0
+ cce@rhel9: CCE-84130-4
cce@rhcos4: CCE-82481-3
cce@sle15: CCE-85653-4
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
index 37545b05822..95a023ef48e 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84263-3
cce@rhel8: CCE-84264-1
+ cce@rhel9: CCE-84133-8
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
index 5c764c307c6..d7795727431 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
@@ -15,6 +15,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84256-7
cce@rhel8: CCE-84257-5
+ cce@rhel9: CCE-84117-1
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
index 36b3016ccf4..d4eeebf721e 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
@@ -13,6 +13,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-84283-1
cce@rhel8: CCE-83477-0
+ cce@rhel9: CCE-84026-4
references:
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
index 0de8259e975..d7aa582a33b 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82871-5
cce@rhel8: CCE-82872-3
+ cce@rhel9: CCE-84024-9
references:
cis@rhel7: 3.3.3
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
index e044f2f85b0..0f835e52c11 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80158-9
cce@rhel8: CCE-80917-8
+ cce@rhel9: CCE-84011-6
cce@rhcos4: CCE-82469-8
cce@sle12: CCE-83090-1
cce@sle15: CCE-85651-8
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index c973a5cd4f5..6e734167503 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27434-0
cce@rhel8: CCE-81011-9
+ cce@rhel9: CCE-84001-7
cce@rhcos4: CCE-82478-9
cce@sle12: CCE-83064-6
cce@sle15: CCE-85648-4
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
index 43fefc50c5a..48d815feaa2 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
@@ -17,6 +17,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80160-5
cce@rhel8: CCE-81018-4
+ cce@rhel9: CCE-84000-9
cce@rhcos4: CCE-82486-2
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 7f1dcbee78d..dabb3606d6d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80167-0
cce@rhel8: CCE-81021-8
+ cce@rhel9: CCE-84008-2
cce@rhcos4: CCE-82488-8
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
index 161b76aa880..cd1865f86fb 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80159-7
cce@rhel8: CCE-81016-8
+ cce@rhel9: CCE-84016-5
cce@rhcos4: CCE-82482-1
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
index 8cb3b0a64c1..c1f6770933b 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80163-9
cce@rhel8: CCE-80919-4
+ cce@rhel9: CCE-84003-3
cce@rhcos4: CCE-82470-6
cce@sle12: CCE-83081-0
cce@sle15: CCE-85652-6
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index 6170a83afb1..783c42ee4c2 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80162-1
cce@rhel8: CCE-80920-2
+ cce@rhel9: CCE-84007-4
cce@rhcos4: CCE-82479-7
cce@sle12: CCE-83079-4
cce@sle15: CCE-85650-0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
index 5a7bb934bdf..7ed2e2f1423 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
@@ -17,6 +17,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80161-3
cce@rhel8: CCE-81020-0
+ cce@rhel9: CCE-84014-0
cce@rhcos4: CCE-82487-0
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
index 8e0687c50a4..32498d5de5a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80168-8
cce@rhel8: CCE-81022-6
+ cce@rhel9: CCE-84009-0
cce@rhcos4: CCE-82489-6
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
index 8b6378eaf6e..18da604b29d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80164-7
cce@rhel8: CCE-81017-6
+ cce@rhel9: CCE-84019-9
cce@rhcos4: CCE-82483-9
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
index 11eddda99ed..bd6ee152a31 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80165-4
cce@rhel8: CCE-80922-8
+ cce@rhel9: CCE-84004-1
cce@rhcos4: CCE-82491-2
cce@sle12: CCE-83080-2
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
index ab3e5e8b6e7..70eeb8341b6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
@@ -15,6 +15,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80166-2
cce@rhel8: CCE-81023-4
+ cce@rhel9: CCE-84015-7
cce@rhcos4: CCE-82490-4
references:
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
index c4f398fc3da..84bb91629f2 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-84276-5
cce@rhel8: CCE-84277-3
+ cce@rhel9: CCE-90834-3
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
index f9ff179e2cc..b70279f6cbd 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-84269-0
cce@rhel8: CCE-84270-8
+ cce@rhel9: CCE-84012-4
references:
anssi: BP28(R22)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
index 2643f7b34af..4f9ded02621 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27495-1
cce@rhel8: CCE-80923-6
+ cce@rhel9: CCE-84006-6
cce@rhcos4: CCE-82492-0
cce@sle12: CCE-83179-2
cce@sle15: CCE-83283-2
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
index 5bb3a291d88..4a941677e84 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80156-3
cce@rhel8: CCE-80918-6
+ cce@rhel9: CCE-83997-7
cce@rhcos4: CCE-82484-7
cce@sle12: CCE-83089-3
cce@sle15: CCE-85655-9
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
index c2fca54905b..40dd979e981 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80999-6
cce@rhel8: CCE-80921-0
+ cce@rhel9: CCE-83999-3
cce@rhcos4: CCE-82485-4
cce@sle12: CCE-83086-9
cce@sle15: CCE-85654-2
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 4b70eed91d5..0885d759506 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80157-1
cce@rhel8: CCE-81024-2
+ cce@rhel9: CCE-83998-5
cce@sle12: CCE-83088-5
cce@sle15: CCE-85709-4
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
index b35b94c0649..cf538b45c8a 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82162-9
cce@rhel8: CCE-82028-2
+ cce@rhel9: CCE-84137-9
cce@rhcos4: CCE-82518-2
references:
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
index 97c10b91f40..5401bf0a552 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82164-5
cce@rhel8: CCE-82059-7
+ cce@rhel9: CCE-84134-6
cce@rhcos4: CCE-82519-0
references:
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
index 110a84efcae..f0842cded24 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82024-1
cce@rhel8: CCE-80833-7
+ cce@rhel9: CCE-84136-1
references:
stigid@ol7: OL07-00-020101
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
index 43ba8378d43..845d4d8f67a 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82160-3
cce@rhel8: CCE-82005-0
+ cce@rhel9: CCE-84060-3
cce@rhcos4: CCE-82517-4
references:
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
index 85a8a7e02e0..beb0c7ffcc4 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
@@ -17,6 +17,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82869-9
cce@rhel8: CCE-82870-7
+ cce@rhel9: CCE-84064-5
references:
cis@rhel7: 3.5.3
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
index aa074954939..53393d561a4 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82044-9
cce@rhel8: CCE-80834-5
+ cce@rhel9: CCE-84139-5
cce@rhcos4: CCE-82516-6
references:
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
index 1b44eeaa816..6f212aae42d 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83395-4
cce@rhel8: CCE-82297-3
+ cce@rhel9: CCE-84065-2
cce@rhcos4: CCE-82520-8
references:
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
index 55fa265f7b3..bd79f613f9e 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27327-6
cce@rhel8: CCE-80832-9
+ cce@rhel9: CCE-84067-8
cce@rhcos4: CCE-82515-8
references:
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
index aaa17c752cf..6826f72b38d 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -36,6 +36,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27358-1
cce@rhel8: CCE-83501-7
+ cce@rhel9: CCE-84066-0
cce@rhcos4: CCE-82660-2
cce@sle12: CCE-83148-7
cce@sle15: CCE-83286-5
diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
index 9b1e0b4f69d..3048f0bc8d7 100644
--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
+++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
@@ -29,6 +29,7 @@ platform: machine # The oscap interface probe doesn't support offline mode
identifiers:
cce@rhel7: CCE-80174-6
cce@rhel8: CCE-82283-3
+ cce@rhel9: CCE-83996-9
cce@sle12: CCE-83147-9
cce@sle15: CCE-85656-7
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
index 0a4232cae38..8fccb555dc3 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83374-9
cce@rhel8: CCE-83375-6
+ cce@rhel9: CCE-83903-5
references:
anssi: BP28(R40)
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
index 4a72ddda83e..2babda397c8 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
@@ -33,6 +33,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80130-8
cce@rhel8: CCE-80783-4
+ cce@rhel9: CCE-83895-3
cce@rhcos4: CCE-82753-5
cce@sle12: CCE-83047-1
cce@sle15: CCE-83282-4
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index 12b1ed7483c..aa821dccf22 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80132-4
cce@rhel8: CCE-80816-2
+ cce@rhel9: CCE-83901-9
references:
anssi: BP28(R37),BP28(R38)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index 079679d5b17..5eccb8ec703 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80133-2
cce@rhel8: CCE-80817-0
+ cce@rhel9: CCE-83897-9
references:
anssi: BP28(R37),BP28(R38)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
index 37614b561ec..cdab3363005 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80131-6
cce@rhel8: CCE-80818-8
+ cce@rhel9: CCE-83902-7
references:
cis@rhel7: 6.1.10
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
index 9af992d2e71..6ffe95805c8 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80135-7
cce@rhel8: CCE-83497-8
+ cce@rhel9: CCE-83906-8
cce@sle12: CCE-83073-7
cce@sle15: CCE-85658-3
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index 1169d757fd0..087e23ac547 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80134-0
cce@rhel8: CCE-83499-4
+ cce@rhel9: CCE-83896-1
cce@sle12: CCE-83072-9
cce@sle15: CCE-85657-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
index 8752366d140..a5140984c51 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83474-7
cce@rhel8: CCE-83475-4
+ cce@rhel9: CCE-83928-2
references:
cis@rhel7: 6.1.8
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
index 4b0f213e2d2..c66413c54a9 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83534-8
cce@rhel8: CCE-83535-5
+ cce@rhel9: CCE-83951-4
references:
cis@rhel7: 6.1.9
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
index 67a8a2b2f7b..9bdf77e0f43 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83323-6
cce@rhel8: CCE-83324-4
+ cce@rhel9: CCE-83933-2
references:
cis@rhel7: 6.1.6
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
index 6f5e7c6db4a..4a33f96814c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83414-3
cce@rhel8: CCE-83415-0
+ cce@rhel9: CCE-83938-1
references:
cis@rhel7: 6.1.7
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
index a30e43191dc..0d93a0096dd 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82037-3
cce@rhel8: CCE-80796-6
+ cce@rhel9: CCE-83945-6
references:
cis@rhel7: 6.1.4
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
index 081652006fd..162f01db012 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82025-8
cce@rhel8: CCE-80797-4
+ cce@rhel9: CCE-83948-0
references:
cis@rhel7: 6.1.5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
index ffe20494729..9a4c5d30561 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-26639-5
cce@rhel8: CCE-80798-2
+ cce@rhel9: CCE-83950-6
references:
cis@rhel7: 6.1.2
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
index a68a86445ba..4f185f7f2a4 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82051-4
cce@rhel8: CCE-80799-0
+ cce@rhel9: CCE-83930-8
references:
cis@rhel7: 6.1.3
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
index 34cc7261d2b..3a301d0304b 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83472-1
cce@rhel8: CCE-83473-9
+ cce@rhel9: CCE-83944-9
references:
cis@rhel7: 6.1.8
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
index c7434655b50..55a07f601da 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83532-2
cce@rhel8: CCE-83533-0
+ cce@rhel9: CCE-83929-0
references:
cis@rhel7: 6.1.9
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
index e4e7e7b493e..79e4ab1fe62 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83325-1
cce@rhel8: CCE-83326-9
+ cce@rhel9: CCE-83947-2
references:
cis@rhel7: 6.1.6
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
index 11b341fcbb4..389f830f055 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83412-7
cce@rhel8: CCE-83413-5
+ cce@rhel9: CCE-83949-8
references:
cis@rhel7: 6.1.7
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
index cded33d30ce..d19e55104e0 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82031-6
cce@rhel8: CCE-80801-4
+ cce@rhel9: CCE-83925-8
references:
cis@rhel7: 6.1.4
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
index 52fa58671f4..2419015f113 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82195-9
cce@rhel8: CCE-80802-2
+ cce@rhel9: CCE-83924-1
references:
cis@rhel7: 6.1.5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
index dd04e90f501..e71300f22d1 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82052-2
cce@rhel8: CCE-80803-0
+ cce@rhel9: CCE-83943-1
references:
cis@rhel7: 6.1.2
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
index fbdb621807b..6eb53bc53d4 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82022-5
cce@rhel8: CCE-80804-8
+ cce@rhel9: CCE-83926-6
references:
cis@rhel7: 6.1.3
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
index 5e69037060a..7e79f387e13 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83482-0
cce@rhel8: CCE-83483-8
+ cce@rhel9: CCE-83939-9
references:
cis@rhel7: 6.1.8
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
index 3d6857d811b..7c3994e5115 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83572-8
cce@rhel8: CCE-83573-6
+ cce@rhel9: CCE-83942-3
references:
cis@rhel7: 6.1.9
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
index 43f6675bf3f..1f87b073988 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83331-9
cce@rhel8: CCE-83332-7
+ cce@rhel9: CCE-83940-7
references:
cis@rhel7: 6.1.6
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
index 7c9b99651bc..d36289cda20 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83416-8
cce@rhel8: CCE-83417-6
+ cce@rhel9: CCE-83935-7
references:
cis@rhel7: 6.1.7
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
index ef8cf0cca28..1a7c3b8854c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82032-4
cce@rhel8: CCE-80810-5
+ cce@rhel9: CCE-83934-0
references:
cis@rhel7: 6.1.4
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index 58c08ac643f..3b3fe738e04 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82192-6
cce@rhel8: CCE-80811-3
+ cce@rhel9: CCE-83921-7
references:
anssi: BP28(R36)
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
index 0a7f729c6cd..9faf0f5313a 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82029-0
cce@rhel8: CCE-80812-1
+ cce@rhel9: CCE-83931-6
references:
cis@rhel7: 6.1.2
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
index be331eca4a4..700f0a73a5d 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82042-3
cce@rhel8: CCE-80813-9
+ cce@rhel9: CCE-83941-5
references:
anssi: BP28(R36)
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
index 84b58bd8cf3..a9e9d909350 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83659-3
+ cce@rhel9: CCE-83912-6
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
index 40811212654..d73e8fe2470 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
@@ -12,6 +12,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83660-1
+ cce@rhel9: CCE-83916-7
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
index b151758b1b0..a897085ca0a 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83661-9
+ cce@rhel9: CCE-83914-2
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
index 084e13a1de0..f7e16949999 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
@@ -12,6 +12,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83662-7
+ cce@rhel9: CCE-83915-9
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
index db131144de9..12a62347de7 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83663-5
+ cce@rhel9: CCE-83917-5
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
index 0a8d5d1dde0..19ab1f8ff76 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-83665-0
+ cce@rhel9: CCE-83913-4
references:
srg: SRG-OS-000206-GPOS-00084
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
index 20bd962b3aa..f02d6f4ed7b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82048-0
cce@rhel8: CCE-80806-3
+ cce@rhel9: CCE-83908-4
cce@sle15: CCE-85730-0
references:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index ca6fd90c280..df6f29fc2ac 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82021-7
cce@rhel8: CCE-80807-1
+ cce@rhel9: CCE-83907-6
cce@sle15: CCE-85756-5
references:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
index ad69c4f88ec..ea0117bba7e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82040-7
cce@rhel8: CCE-80809-7
+ cce@rhel9: CCE-83911-8
cce@sle15: CCE-85729-2
references:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index 0dce477d5f3..6480caed07c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -28,6 +28,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82033-2
cce@rhel8: CCE-80815-4
+ cce@rhel9: CCE-83909-2
cce@sle15: CCE-85670-8
references:
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
index 867e0833c64..3a5f2c2a89b 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81026-7
cce@rhel8: CCE-81027-5
+ cce@rhel9: CCE-84110-6
cce@rhcos4: CCE-82506-7
references:
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
index e12a68c95ba..53cb920e90d 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81029-1
cce@rhel8: CCE-81030-9
+ cce@rhel9: CCE-83900-1
cce@rhcos4: CCE-82507-5
references:
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
index 10116e8a543..89603b2e9a7 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
@@ -24,6 +24,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-80137-3
cce@rhel8: CCE-81031-7
+ cce@rhel9: CCE-83853-2
cce@rhcos4: CCE-82514-1
references:
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
index 6b31c36af5e..ef606bfadd8 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
@@ -24,6 +24,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-80142-3
cce@rhel8: CCE-83498-6
+ cce@rhel9: CCE-83855-7
cce@rhcos4: CCE-82717-0
references:
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
index 11c9f7533a2..51f377830ef 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
@@ -25,6 +25,7 @@ platform: machine
identifiers:
cce@rhel7: CCE-80143-1
cce@rhel8: CCE-82729-5
+ cce@rhel9: CCE-83852-4
cce@rhcos4: CCE-82718-8
references:
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index 3e3f97d6621..11f1a43f292 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27277-3
cce@rhel8: CCE-80835-2
+ cce@rhel9: CCE-83851-6
cce@rhcos4: CCE-82719-6
cce@sle12: CCE-83069-5
cce@sle15: CCE-83294-9
diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
index bd08b4b93b1..5553f49c884 100644
--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27498-5
cce@rhel8: CCE-80873-3
+ cce@rhel9: CCE-83850-8
cce@rhcos4: CCE-82663-6
cce@sle12: CCE-83070-3
cce@sle15: CCE-83278-2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
index e59ede9c721..ceef17d9ee8 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82135-5
cce@rhel8: CCE-82941-6
+ cce@rhel9: CCE-83884-7
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
index b0e499d4f3a..e6f8d284138 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83315-2
cce@rhel8: CCE-83316-0
+ cce@rhel9: CCE-83892-0
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
index 54902dbdac5..85de23060a0 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82138-9
cce@rhel8: CCE-81033-3
+ cce@rhel9: CCE-83877-1
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
index 3173c5b3db7..d38bfa5c41c 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80152-2
cce@rhel8: CCE-80837-8
+ cce@rhel9: CCE-83881-3
cce@rhcos4: CCE-82867-3
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
index 845de5fb01d..7d4e76eaca0 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
@@ -22,6 +22,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80153-0
cce@rhel8: CCE-80838-6
+ cce@rhel9: CCE-83857-3
cce@rhcos4: CCE-82868-1
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
index 22b2a497522..82ab2971fc3 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80154-8
cce@rhel8: CCE-80839-4
+ cce@rhel9: CCE-83891-2
cce@rhcos4: CCE-82741-0
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
index bd4b69f8ec2..84e19796371 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
@@ -23,6 +23,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-81047-3
cce@rhel8: CCE-81048-1
+ cce@rhel9: CCE-83871-4
cce@rhcos4: CCE-82740-2
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
index c07bd670135..04f12549f1c 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83327-7
cce@rhel8: CCE-83328-5
+ cce@rhel9: CCE-83875-5
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
index e6fd9ed7240..de14fa41aa8 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81153-9
cce@rhel8: CCE-81050-7
+ cce@rhel9: CCE-83894-6
cce@sle12: CCE-83100-8
cce@sle15: CCE-85633-6
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
index 5f658b2a592..1725c8daf4c 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80145-6
cce@rhel8: CCE-82069-6
+ cce@rhel9: CCE-83873-0
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
index 34fadec6e9b..4d830212c30 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
@@ -23,6 +23,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80146-4
cce@rhel8: CCE-82742-8
+ cce@rhel9: CCE-83856-5
cce@rhcos4: CCE-82865-7
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
index ab8cec9f91d..4e36f9ef1f5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80147-2
cce@rhel8: CCE-82746-9
+ cce@rhel9: CCE-83883-9
cce@rhcos4: CCE-82747-7
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
index 054fd19e13e..c0c2c12c634 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80148-0
cce@rhel8: CCE-82744-4
+ cce@rhel9: CCE-83874-8
cce@rhcos4: CCE-82745-1
cce@sle12: CCE-83101-6
cce@sle15: CCE-85634-4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
index a68d065c2f9..b67d96ba8da 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83317-8
cce@rhel8: CCE-83319-4
+ cce@rhel9: CCE-83880-5
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
index 469f15db079..022dee6db9a 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83320-2
cce@rhel8: CCE-83322-8
+ cce@rhel9: CCE-83862-3
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index 938f7a58215..6cf42d368a7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80149-8
cce@rhel8: CCE-82623-0
+ cce@rhel9: CCE-83869-8
references:
cis@rhel7: 1.1.4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 1344518bc2f..055adca538a 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80150-6
cce@rhel8: CCE-82139-7
+ cce@rhel9: CCE-83885-4
references:
cis@rhel7: 1.1.3
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index 827eeb0381b..16e919a0586 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80151-4
cce@rhel8: CCE-82140-5
+ cce@rhel9: CCE-83872-2
references:
cis@rhel7: 1.1.5
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
index 252de20f49e..de0ed866913 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82079-5
cce@rhel8: CCE-82080-3
+ cce@rhel9: CCE-83882-1
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
index 06b1ee7eddc..8f862132b56 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82146-2
cce@rhel8: CCE-82975-4
+ cce@rhel9: CCE-83878-9
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
index 1443e2a64f4..a991a15ae5e 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82148-8
cce@rhel8: CCE-82921-8
+ cce@rhel9: CCE-83893-8
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 97670681e06..920351725ad 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82076-1
cce@rhel8: CCE-82077-9
+ cce@rhel9: CCE-83886-2
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
index 6548012de35..2be49486a16 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82142-1
cce@rhel8: CCE-82008-4
+ cce@rhel9: CCE-83887-0
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
index 34fe89affd0..4c4c2711f37 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82144-7
cce@rhel8: CCE-82065-4
+ cce@rhel9: CCE-83870-6
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
index 92a8dd83813..8a8413b49e6 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82064-7
cce@rhel8: CCE-82062-1
+ cce@rhel9: CCE-83868-0
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
index 1cb6cbab055..7119419eb6b 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83329-3
cce@rhel8: CCE-83330-1
+ cce@rhel9: CCE-83865-6
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
index f15cc75ae19..ca3e15f3878 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
@@ -16,6 +16,7 @@ rationale: |-
identifiers:
cce@rhel7: CCE-83378-0
cce@rhel8: CCE-83383-0
+ cce@rhel9: CCE-83867-2
references:
anssi: BP28(R12)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 03443bd43fd..c78149e13aa 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81052-3
cce@rhel8: CCE-82068-8
+ cce@rhel9: CCE-83864-9
cce@rhcos4: CCE-82735-2
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 4adc6791d88..87a5f0e2f5d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82150-4
cce@rhel8: CCE-82151-2
+ cce@rhel9: CCE-83866-4
cce@rhcos4: CCE-82866-5
references:
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index a22d658a6b2..7df03f1bf13 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82153-8
cce@rhel8: CCE-82154-6
+ cce@rhel9: CCE-83863-1
cce@rhcos4: CCE-82736-0
references:
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
index dd32d225db8..3047f5790ab 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80169-6
cce@rhel8: CCE-81038-2
+ cce@rhel9: CCE-83980-3
cce@rhcos4: CCE-82526-5
references:
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
index baa8a448026..290d91abacf 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -20,6 +20,7 @@ platform: machine
identifiers:
cce@rhel8: CCE-82881-4
+ cce@rhel9: CCE-83974-6
cce@rhcos4: CCE-82530-7
references:
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
index b9521a9a648..9734bd75112 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-26900-1
cce@rhel8: CCE-80912-9
+ cce@rhel9: CCE-83981-1
references:
cis@rhel7: 1.5.1
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
index 9e018613784..7ddbcbfc0a3 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
@@ -27,6 +27,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode
identifiers:
cce@rhel7: CCE-27211-2
cce@rhel8: CCE-80914-5
+ cce@rhel9: CCE-83970-4
references:
cis@rhel7: 1.5.2
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index c678f8f086c..9474fed6098 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80659-6
cce@rhel8: CCE-80915-2
+ cce@rhel9: CCE-83972-0
cce@rhcos4: CCE-82498-7
cce@sle12: CCE-83125-5
cce@sle15: CCE-83299-8
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
index aa46075cdce..c96a8018909 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27127-0
cce@rhel8: CCE-80916-0
+ cce@rhel9: CCE-83971-2
cce@sle12: CCE-83146-1
cce@sle15: CCE-83300-4
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
index 9b18bee588f..77e58a78250 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82158-7
cce@rhel8: CCE-80944-2
+ cce@rhel9: CCE-83985-2
references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
index f6059044f14..36241872a02 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82157-9
cce@rhel8: CCE-80945-9
+ cce@rhel9: CCE-83986-0
references:
srg: SRG-OS-000433-GPOS-00192,SRG-OS-000134-GPOS-00068
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index fb3cd558c0b..dd1f67bad8c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82215-5
+ cce@rhel9: CCE-83961-3
cce@rhcos4: CCE-82527-3
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index c7ba7b2821b..e7eb3f5caf3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27050-4
cce@rhel8: CCE-80913-7
+ cce@rhel9: CCE-83952-2
cce@rhcos4: CCE-82499-5
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
index 97fab077088..6433967ce7f 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81056-4
cce@rhel8: CCE-80952-5
+ cce@rhel9: CCE-83954-8
cce@rhcos4: CCE-82500-0
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index 2bb534d8382..1722b9370da 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83392-1
cce@rhel8: CCE-83397-0
+ cce@rhel9: CCE-83967-0
references:
anssi: BP28(R24)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
index 147e1f0a96a..52456967c53 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83369-9
cce@rhel8: CCE-83373-1
+ cce@rhel9: CCE-83969-6
references:
anssi: BP28(R23)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
index 1cb4a86a14c..f78db1b0dbd 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83367-3
cce@rhel8: CCE-83368-1
+ cce@rhel9: CCE-83962-1
references:
anssi: BP28(R23)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
index 696994b0f27..c756902afd2 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81053-1
cce@rhel8: CCE-81054-9
+ cce@rhel9: CCE-83959-7
cce@rhcos4: CCE-82502-6
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
index 672df86e693..4299f35b9df 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83365-7
cce@rhel8: CCE-83366-5
+ cce@rhel9: CCE-83960-5
references:
anssi: BP28(R23)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
index 88e9e4e6285..f17eeb7a8fe 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83353-3
cce@rhel8: CCE-83355-8
+ cce@rhel9: CCE-83968-8
references:
anssi: BP28(R23)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 31fde102de8..9a90716debc 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82203-1
cce@rhel8: CCE-82974-7
+ cce@rhel9: CCE-83957-1
cce@rhcos4: CCE-82504-2
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 7cd437ec14a..b686a606f86 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-81058-0
cce@rhel8: CCE-80953-3
+ cce@rhel9: CCE-83965-4
cce@rhcos4: CCE-82501-8
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index 9812e2beb16..f87be0ff5c6 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82934-1
+ cce@rhel9: CCE-83966-2
cce@rhcos4: CCE-82505-9
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
index 223619814b5..145c652fa73 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
@@ -23,6 +23,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82211-4
+ cce@rhel9: CCE-83956-3
cce@rhcos4: CCE-82503-4
references:
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
index c5158c6cbb6..93a11ee5086 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83358-2
cce@rhel8: CCE-83363-2
+ cce@rhel9: CCE-83958-9
references:
anssi: BP28(R23)
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
index 87a081248be..4cda0a17a8d 100644
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-26961-3
cce@rhel8: CCE-80827-9
+ cce@rhel9: CCE-84078-5
cce@rhcos4: CCE-82666-9
references:
diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
index c8123f6a4f6..d38f1829771 100644
--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
@@ -18,6 +18,7 @@ severity: high
identifiers:
cce@rhel7: CCE-82876-4
cce@rhel8: CCE-82877-2
+ cce@rhel9: CCE-84069-4
references:
cis@rhel7: 1.6.1.1
diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
index becb0dab84a..81f72105a80 100644
--- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80445-0
cce@rhel8: CCE-82756-8
+ cce@rhel9: CCE-84072-8
references:
cis@rhel7: 1.6.1.8
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index a18a57dcbb3..74c92194136 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82724-6
+ cce@rhel9: CCE-84070-2
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
index acce754e9d2..cf3e71a1fc0 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
@@ -26,6 +26,7 @@ severity: high
identifiers:
cce@rhel7: CCE-82977-0
cce@rhel8: CCE-82976-2
+ cce@rhel9: CCE-84071-0
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
index c7ec916622c..8992283aecc 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
@@ -20,6 +20,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80444-3
cce@rhel8: CCE-82755-0
+ cce@rhel9: CCE-84073-6
references:
anssi: BP28(R68)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
index bc189ce4d43..f3be1c78a09 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80424-5
cce@rhel8: CCE-84297-1
+ cce@rhel9: CCE-84090-0
references:
cui: 80424-5
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
index e8453fbfb8d..2a35a2db9eb 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82290-8
cce@rhel8: CCE-83307-9
+ cce@rhel9: CCE-84082-7
references:
anssi: BP28(R67)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
index e3591519dc7..53f154e7e84 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82305-4
cce@rhel8: CCE-84230-2
+ cce@rhel9: CCE-84083-5
references:
anssi: BP28(R39)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
index 6942f1e2114..428bb90bb94 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82308-8
cce@rhel8: CCE-83310-3
+ cce@rhel9: CCE-84087-6
{{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
index 7fedaab6130..6c6fbb73b26 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82312-0
cce@rhel8: CCE-80949-1
+ cce@rhel9: CCE-84084-3
references:
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
index b94d70c0989..f90ef1183de 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82313-8
cce@rhel8: CCE-80950-9
+ cce@rhel9: CCE-84086-8
references:
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
index 2e0b19f881d..21072e4401e 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82314-6
cce@rhel8: CCE-80951-7
+ cce@rhel9: CCE-84089-2
references:
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
index 98673f57c98..f4b47393a75 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82327-8
cce@rhel8: CCE-83311-1
+ cce@rhel9: CCE-84081-9
{{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}}
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
index cc0319a4121..216518475e8 100644
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27288-0
cce@rhel8: CCE-80867-5
+ cce@rhel9: CCE-84075-1
cce@rhcos4: CCE-82688-3
references:
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
index e4202dcd2c6..44e001c9049 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27279-9
cce@rhel8: CCE-80868-3
+ cce@rhel9: CCE-84074-4
cce@rhcos4: CCE-82532-3
references:
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
index 1a8066e5f07..ca0a7a04bae 100644
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27334-2
cce@rhel8: CCE-80869-1
+ cce@rhel9: CCE-84079-3
cce@rhcos4: CCE-82531-5
references:
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index ef544f33d48..083d02a36e5 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -53,6 +53,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27128-8
cce@rhel8: CCE-80789-1
+ cce@rhel9: CCE-90849-1
cce@sle12: CCE-83046-3
cce@sle15: CCE-85719-3
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
index c44f0c7ce98..35d766d9f9d 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80144-9
cce@rhel8: CCE-81044-0
+ cce@rhel9: CCE-83468-9
cce@rhcos4: CCE-82739-4
cce@sle12: CCE-83152-9
cce@sle15: CCE-85639-3
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
index ff22050a248..bbfd28c10ce 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
@@ -25,6 +25,7 @@ references:
identifiers:
cce@rhel7: CCE-83376-4
cce@rhel8: CCE-83387-1
+ cce@rhel9: CCE-90846-7
{{{ complete_ocil_entry_separate_partition(part="/srv") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
index 799dfb99dd7..3a3a28cec04 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
@@ -17,6 +17,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82053-0
cce@rhel8: CCE-80851-9
+ cce@rhel9: CCE-90845-9
references:
stigid@ol7: OL07-00-021340
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
index 834dbbbf210..856a09540ba 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82014-2
cce@rhel8: CCE-80852-7
+ cce@rhel9: CCE-83466-3
cce@sle12: CCE-83153-7
cce@sle15: CCE-85640-1
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
index 7f1a8c7ddb9..08ba9a843f0 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82034-0
cce@rhel8: CCE-80853-5
+ cce@rhel9: CCE-90848-3
cce@rhcos4: CCE-82737-8
references:
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
index e76d455bf3a..10113499614 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
@@ -20,6 +20,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82035-7
cce@rhel8: CCE-80854-3
+ cce@rhel9: CCE-90847-5
cce@rhcos4: CCE-82738-6
cce@sle12: CCE-83154-5
cce@sle15: CCE-85618-7
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index 535c0096b46..01c3f9b76ab 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -19,6 +19,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82353-4
cce@rhel8: CCE-82730-3
+ cce@rhel9: CCE-83487-9
cce@rhcos4: CCE-82734-5
references:
diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
index 1222bbf54e5..f5ca4062d3d 100644
--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82348-4
cce@rhel8: CCE-82367-4
+ cce@rhel9: CCE-83549-6
references:
nist: CM-7(a),CM-7(b),CM-6(a)
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
index 8a36d5691b7..0a6b95ea19e 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -33,6 +33,7 @@ severity: high
identifiers:
cce@rhel7: CCE-82371-6
cce@rhel8: CCE-80947-5
+ cce@rhel9: CCE-83453-1
cce@sle12: CCE-83001-8
cce@sle15: CCE-83260-0
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
index b232fdb7bbf..666ae4e2b2c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-80934-3
+ cce@rhel9: CCE-83451-5
cce@rhcos4: CCE-82544-8
references:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 726f555e385..f95c16b271b 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -55,6 +55,7 @@ severity: high
identifiers:
cce@rhel8: CCE-80935-0
+ cce@rhel9: CCE-83450-7
cce@rhcos4: CCE-82541-4
references:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
index 5f19ce25f9f..64bb048f8e5 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-80936-8
+ cce@rhel9: CCE-83449-9
cce@rhcos4: CCE-82547-1
references:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
index c156144f2c9..c1e7fb6f9e0 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-80937-6
+ cce@rhel9: CCE-83446-5
cce@rhcos4: CCE-82546-3
references:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index a7d6351eb4b..3953f7f2372 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-80938-4
+ cce@rhel9: CCE-83452-3
cce@rhcos4: CCE-82545-5
references:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
index dfe105771cc..eba82b5fb78 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-84255-9
+ cce@rhel9: CCE-83448-1
references:
nist: AC-17(2)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index 77030b4c6ed..ff24032229e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-80939-2
+ cce@rhel9: CCE-83445-7
references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index 10974a995e1..68ce39792ba 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82723-8
+ cce@rhel9: CCE-83442-4
references:
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index b373970d241..6d0c3b42890 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -24,6 +24,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode
identifiers:
cce@rhel7: CCE-80658-8
cce@rhel8: CCE-84027-2
+ cce@rhel9: CCE-83441-6
references:
disa: CCI-000068,CCI-000803,CCI-002450
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
index d28e3222980..460641ed4e3 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -29,6 +29,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27220-3
cce@rhel8: CCE-80675-2
+ cce@rhel9: CCE-83438-2
references:
anssi: BP28(R51)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
index 7feef66f859..2d7a3ac28b2 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
@@ -34,6 +34,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-26952-2
cce@rhel8: CCE-80676-0
+ cce@rhel9: CCE-83437-4
cce@sle15: CCE-85671-6
references:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index a73fb0a39ad..51dae72ee6d 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -30,6 +30,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80374-2
cce@rhel8: CCE-82891-3
+ cce@rhel9: CCE-90844-2
cce@sle12: CCE-83048-9
references:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
index f527068022a..3342599f5f6 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
@@ -25,6 +25,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80375-9
cce@rhel8: CCE-84220-3
+ cce@rhel9: CCE-90837-6
cce@sle12: CCE-83150-3
cce@sle15: CCE-85623-7
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index 7961f3b5a67..54351d15423 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -25,6 +25,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80376-7
cce@rhel8: CCE-83733-6
+ cce@rhel9: CCE-83439-0
cce@sle12: CCE-83151-1
cce@sle15: CCE-85624-5
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 264dd298c11..681da5b976e 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27096-7
cce@rhel8: CCE-80844-4
+ cce@rhel9: CCE-90843-4
cce@sle12: CCE-83067-9
cce@sle15: CCE-83289-9
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
index 873110cc9c3..3d0f77d825b 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
@@ -36,6 +36,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27157-7
cce@rhel8: CCE-80857-6
+ cce@rhel9: CCE-90841-8
references:
stigid@ol7: OL07-00-010020
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index 97c0957fd68..f085d9a79f9 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -27,6 +27,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80545-7
cce@rhel8: CCE-82196-7
+ cce@rhel9: CCE-90842-6
cce@rhcos4: CCE-82686-7
references:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
index 8875abd83fe..915cf839a68 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -32,6 +32,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27209-6
cce@rhel8: CCE-80858-4
+ cce@rhel9: CCE-90840-0
cce@rhcos4: CCE-82687-5
references:
diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
index af33fe43359..f2ae5406c24 100644
--- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml
+++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83691-6
cce@rhel8: CCE-83694-0
+ cce@rhel9: CCE-90839-2
references:
anssi: BP28(R10)
diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
index 2392bdc2c44..1fb36944e43 100644
--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82213-0
cce@rhel8: CCE-82214-8
+ cce@rhel9: CCE-83523-1
cce@rhcos4: CCE-82523-2
references:
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
index fb6e9833b31..cc7fbbc0959 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
@@ -18,6 +18,7 @@ severity: high
identifiers:
cce@rhel7: CCE-83740-1
cce@rhel8: CCE-83747-6
+ cce@rhel9: CCE-83537-1
references:
anssi: BP28(R58)
diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
index 00e56a1427d..e7c96e8d5ac 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83787-2
cce@rhel8: CCE-83790-6
+ cce@rhel9: CCE-83539-7
references:
anssi: BP28(R58)
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
index 2164cefec8c..67f9fcb1a42 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83797-1
cce@rhel8: CCE-83798-9
+ cce@rhel9: CCE-83538-9
references:
anssi: BP28(R58)
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 05a3127c6ae..90760109e3c 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -15,6 +15,7 @@ severity: low
identifiers:
cce@rhel7: CCE-83600-7
cce@rhel8: CCE-83601-5
+ cce@rhel9: CCE-83527-2
references:
cis@rhel7: 5.2.3
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
index 3c96138cbc9..a9a594e87f8 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80350-2
cce@rhel8: CCE-82202-3
+ cce@rhel9: CCE-83544-7
cce@sle12: CCE-83013-3
cce@sle15: CCE-83291-5
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
index 172eedba548..a8658c9ed88 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80351-0
cce@rhel8: CCE-82197-5
+ cce@rhel9: CCE-83536-3
cce@sle12: CCE-83012-5
cce@sle15: CCE-85663-3
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
index 2138ea9ead0..cae15396bfe 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82278-3
cce@rhel8: CCE-82279-1
+ cce@rhel9: CCE-83543-9
cce@sle15: CCE-85673-2
references:
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index 930915327e0..a708f7a073b 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@sle15: CCE-85712-8
cce@rhel7: CCE-83423-4
cce@rhel8: CCE-83425-9
+ cce@rhel9: CCE-83525-6
references:
diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
index 32bff061c95..a32e759eee4 100644
--- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82349-2
cce@rhel8: CCE-82365-8
+ cce@rhel9: CCE-83528-0
ocil_clause: 'nopasswd is set for any users beyond vdsm'
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
index a0590c8b0b7..8bd794aa2b2 100644
--- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
@@ -22,8 +22,9 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel7: CCE-83631-2
- cce@rhel8: CCE-83632-0
+ cce@rhel7: CCE-83631-2
+ cce@rhel8: CCE-83632-0
+ cce@rhel9: CCE-83545-4
references:
anssi: BP28(R63)
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
index 5421c589098..896c103747c 100644
--- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
@@ -21,8 +21,9 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel7: CCE-83517-3
- cce@rhel8: CCE-83518-1
+ cce@rhel7: CCE-83517-3
+ cce@rhel8: CCE-83518-1
+ cce@rhel9: CCE-83524-9
references:
anssi: BP28(R61)
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
index ef2dd6e27dc..bcc9ecd0ee3 100644
--- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
@@ -18,8 +18,9 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel7: CCE-83597-5
- cce@rhel8: CCE-83598-3
+ cce@rhel7: CCE-83597-5
+ cce@rhel8: CCE-83598-3
+ cce@rhel9: CCE-83531-4
references:
anssi: BP28(R60)
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index d17f33852db..f336906294a 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -22,6 +22,7 @@ rationale: |-
identifiers:
cce@rhel7: CCE-83421-8
cce@rhel8: CCE-83422-6
+ cce@rhel9: CCE-83529-8
cce@sle15: CCE-85747-4
references:
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
index 61ec3bb5041..acaf85219c8 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82920-0
cce@rhel8: CCE-82919-2
+ cce@rhel9: CCE-83507-4
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
index 8b71752795a..15757ec7a6a 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82927-5
cce@rhel8: CCE-82926-7
+ cce@rhel9: CCE-83508-2
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
index fe5b1710349..5440804c82b 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82924-2
cce@rhel8: CCE-82923-4
+ cce@rhel9: CCE-83510-8
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
index 6cd038c7614..7723195d483 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82908-5
cce@rhel8: CCE-82907-7
+ cce@rhel9: CCE-83512-4
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
index 6fea7c33159..74b217d9e4e 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82914-3
cce@rhel8: CCE-82913-5
+ cce@rhel9: CCE-83513-2
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
index 9950ab14215..b058c92597b 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82917-6
cce@rhel8: CCE-82916-8
+ cce@rhel9: CCE-83514-0
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
index f98b732a50a..43da8d34b26 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
@@ -15,6 +15,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82911-9
cce@rhel8: CCE-82910-1
+ cce@rhel9: CCE-83515-7
references:
srg: SRG-OS-000095-GPOS-00049
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
index c53a12edfc7..1af48c1611b 100644
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82395-5
+ cce@rhel9: CCE-83494-5
references:
ospp: FIA_X509_EXT
diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
index aa1ae14ade9..3e46bd39a7e 100644
--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
@@ -15,6 +15,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82944-0
cce@rhel8: CCE-82943-2
+ cce@rhel9: CCE-83516-5
references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
index 651bf3eb4c1..6a99a5b82e6 100644
--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
@@ -16,6 +16,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82947-3
cce@rhel8: CCE-82946-5
+ cce@rhel9: CCE-83519-9
references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
index b26dc2dbdf3..845167a237b 100644
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82930-9
cce@rhel8: CCE-82931-7
+ cce@rhel9: CCE-83520-7
references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061
diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
index 475980cd54e..c2c8a19aa64 100644
--- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82219-7
cce@rhel8: CCE-82220-5
+ cce@rhel9: CCE-83502-5
references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000191-GPOS-00080
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
index 1d0ed040448..2396f5bb118 100644
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82882-2
cce@rhel8: CCE-82883-0
+ cce@rhel9: CCE-83503-3
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
index f0ca76b6953..1acb18a6866 100644
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82969-7
cce@rhel8: CCE-82968-9
+ cce@rhel9: CCE-83504-1
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
index 2c272a01e3b..a7f9dfd8d76 100644
--- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82951-5
cce@rhel8: CCE-82949-9
+ cce@rhel9: CCE-83505-8
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index 0742a1638fd..e79b482e89a 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82638-8
cce@rhel8: CCE-82316-1
+ cce@rhel9: CCE-83506-6
references:
srg: SRG-OS-000366-GPOS-00153
diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
index 66f864069e2..728a04f5ac8 100644
--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
@@ -18,6 +18,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82905-1
cce@rhel8: CCE-82904-4
+ cce@rhel9: CCE-83521-5
references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
index d0289b311c6..43e3a975354 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -23,6 +23,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80346-0
cce@rhel8: CCE-82476-3
+ cce@rhel9: CCE-83458-0
cce@sle12: CCE-83186-7
cce@sle15: CCE-85551-0
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
index 7a10f5dd9ed..a8834659ed5 100644
--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82494-6
+ cce@rhel9: CCE-83456-4
references:
ospp: FMT_SMF_EXT.1
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
index 10e9e0ac2e9..5a4ad9e674e 100644
--- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
+++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
@@ -18,6 +18,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82267-6
+ cce@rhel9: CCE-83461-4
references:
ospp: FMT_SMF_EXT.1
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
index 8b2f877b60a..668d4b95f9e 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -33,6 +33,7 @@ severity: high
identifiers:
cce@rhel7: CCE-26989-4
cce@rhel8: CCE-80790-9
+ cce@rhel9: CCE-83457-2
cce@sle12: CCE-83068-7
cce@sle15: CCE-83290-7
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
index 67459838987..52c23b17f11 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
@@ -22,6 +22,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80347-8
cce@rhel8: CCE-80791-7
+ cce@rhel9: CCE-83463-0
references:
stigid@ol7: OL07-00-020060
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
index 6adc5810034..53f832bdce8 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
@@ -22,6 +22,7 @@ severity: high
identifiers:
cce@rhel7: CCE-26876-3
cce@rhel8: CCE-80792-5
+ cce@rhel9: CCE-83464-8
references:
srg: SRG-OS-000366-GPOS-00153
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
index 0bdace740b4..490683fe252 100644
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82986-1
cce@rhel8: CCE-82985-3
+ cce@rhel9: CCE-83454-9
references:
srg: SRG-OS-000191-GPOS-00080
diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
index 07aa5c3575b..7451f5637b5 100644
--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82360-9
+ cce@rhel9: CCE-83459-8
references:
ospp: FMT_SMF_EXT.1
From 4325e8a4ec9f02766ae873ad25f0bbcf926bd72b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 23 Jun 2021 17:20:40 +0200
Subject: [PATCH 4/4] Resolved chrony vs ntp rules.
Profiles should select only chrony rules, as ntp is not
supposed to be used in RHEL9.
---
rhel9/profiles/ism_o.profile | 3 +--
rhel9/profiles/pci-dss.profile | 6 +++---
rhel9/profiles/stig.profile | 2 +-
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
index 3a884f8371d..2aa4af470e9 100644
--- a/rhel9/profiles/ism_o.profile
+++ b/rhel9/profiles/ism_o.profile
@@ -90,9 +90,8 @@ selections:
- rsyslog_remote_tls_cacert
- package_chrony_installed
- service_chronyd_enabled
-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
+ # - chronyd_specify_multiple_servers
- chronyd_specify_remote_server
-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
## Events to be logged
## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
index 6b00be5f76a..2c027af5236 100644
--- a/rhel9/profiles/pci-dss.profile
+++ b/rhel9/profiles/pci-dss.profile
@@ -79,9 +79,9 @@ selections:
- audit_rules_kernel_module_loading_init
- audit_rules_immutable
- var_multiple_time_servers=rhel
-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
-# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM
-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
+ - service_chronyd_enabled
+ - chronyd_specify_remote_server
+ # - chronyd_specify_multiple_servers
- rpm_verify_permissions
- rpm_verify_hashes
# - install_hids # not supported in RHEL9 ATM
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
index 1baafe6f751..eef1f901ab5 100644
e-- a/rhel9/profiles/stig.profile
+++ b/rhel9/profiles/stig.profile
@@ -820,7 +820,7 @@ selections:
# RHEL-08-030740
# remediation fails because default configuration file contains pool instead of server keyword
-# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM
+ # - chronyd_set_maxpoll # Doesn't exist in RHEL9, but it should
# RHEL-08-030741
# - chronyd_client_only # not supported in RHEL9 ATM
Reference in New Issue View Git Blame Copy Permalink