+Date: Fri, 30 Oct 2020 15:42:34 +0100
+Subject: [PATCH 7/7] update tests
+
+---
+ .../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
+index be95c2eda9..d08437501b 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
+@@ -1,4 +1,5 @@
+ #!/bin/bash
++# remediation = none
+
+ #clean possible lines
+ sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
diff --git a/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff
new file mode 100644
index 0000000..7147dc2
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff
@@ -0,0 +1,419 @@
+diff --git a/linux_os/guide/services/ssh/ssh_client/group.yml b/linux_os/guide/services/ssh/ssh_client/group.yml
+new file mode 100644
+index 0000000000..62ead28ee1
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/group.yml
+@@ -0,0 +1,11 @@
++documentation_complete: true
++
++title: 'Configure OpenSSH Client if Necessary'
++
++description: |-
++ The following configuration changes apply to the SSH client. They can
++ improve security parameters relwevant to the client user, e.g. increasing
++ entropy while generating initialization vectors. Note that these changes
++ influence only the default SSH client configuration. Changes in this group
++ can be overridden by the client user by modifying files within the
++ ~/.ssh
directory or by supplying parameters on the command line.
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
+new file mode 100644
+index 0000000000..a9f579ae04
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
+@@ -0,0 +1,19 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh"
++ lineinfile:
++ path: /etc/profile.d/cc-ssh-strong-rng.csh
++ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
++ line: 'setenv SSH_USE_STRONG_RNG 32'
++ state: present
++ create: yes
++
++- name: "Ensure that the configuration is not overridden in /etc/profile"
++ lineinfile:
++ path: /etc/profile
++ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
++ state: absent
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
+new file mode 100644
+index 0000000000..a3b0b3a9c6
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++
++# put line into the file
++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
++
++# remove eventual override in /etc/profile
++sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
+new file mode 100644
+index 0000000000..fe6d3a5f25
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
+@@ -0,0 +1,36 @@
++
++
++ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh and is not overridden in /etc/profile") }}}
++
++
++
++
++
++
++
++
++
++
++
++
++ /etc/profile.d/cc-ssh-strong-rng.csh
++ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG[\s]+([\d]+)$
++ 1
++
++
++
++
++
++
++
++ /etc/profile
++ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
++ 1
++
++
++
++ 32
++
++
++
+\ No newline at end of file
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
+new file mode 100644
+index 0000000000..a2b9bfa37d
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
+@@ -0,0 +1,36 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'SSH client uses strong entropy to seed (for CSH like shells)'
++
++description: |-
++ To set up SSH client to use entropy from a high-quality source, make sure
++ that the appropriate shell environment variable is configured. The
++ SSH_USE_STRONG_RNG environment variable determines how many bytes
++ of entropy to use. Make sure that the file
++ /etc/profile.d/cc-ssh-strong-rng.csh contains line
++ setenv SSH_USE_STRONG_RNG 32
.
++
++rationale: |-
++ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
++ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
++ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
++ the random number generator used by SSH would be known to potential attackers.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: CCE-83349-1
++
++references:
++ ospp: FCS_CKM.1.1
++ srg: SRG-OS-000480-GPOS-00227
++
++ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
++
++ocil: |-
++ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
++ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh
++ It should return the following output:
++ setenv SSH_USE_STRONG_RNG 32
.
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..4cfafa9f96
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
+new file mode 100644
+index 0000000000..c2fead5697
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++rm -f /etc/profile.d/cc-ssh-strong-rng.csh
+\ No newline at end of file
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
+new file mode 100644
+index 0000000000..4a0d26165b
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "#setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
+new file mode 100644
+index 0000000000..5fbccb5f29
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
++echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile.d/cc-ssh-strong-rng.csh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
+new file mode 100644
+index 0000000000..d93d1151f8
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++echo "setenv SSH_USE_STRONG_RNG 32" >> /etc/profile.d/cc-ssh-strong-rng.csh
++echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
+new file mode 100644
+index 0000000000..d73f22ce5d
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "setenv SSH_USE_STRONG_RNG 64" > /etc/profile.d/cc-ssh-strong-rng.csh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
+new file mode 100644
+index 0000000000..d19ee819c0
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
+@@ -0,0 +1,19 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh"
++ lineinfile:
++ path: /etc/profile.d/cc-ssh-strong-rng.sh
++ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
++ line: 'export SSH_USE_STRONG_RNG=32'
++ state: present
++ create: yes
++
++- name: "Ensure that the configuration is not overridden in /etc/profile"
++ lineinfile:
++ path: /etc/profile
++ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
++ state: absent
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
+new file mode 100644
+index 0000000000..07e45f1dfa
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++
++# put line into the file
++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
++
++# remove eventual override in /etc/profile
++sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
+new file mode 100644
+index 0000000000..23bda9bf83
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
+@@ -0,0 +1,36 @@
++
++
++ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh and is not overridden in /etc/profile") }}}
++
++
++
++
++
++
++
++
++
++
++
++
++ /etc/profile.d/cc-ssh-strong-rng.sh
++ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=([\d]+)$
++ 1
++
++
++
++
++
++
++
++ /etc/profile
++ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
++ 1
++
++
++
++ 32
++
++
++
+\ No newline at end of file
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
+new file mode 100644
+index 0000000000..3de4df0a2e
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
+@@ -0,0 +1,36 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'SSH client uses strong entropy to seed (Bash-like shells)'
++
++description: |-
++ To set up SSH client to use entropy from a high-quality source, make sure
++ that the appropriate shell environment variable is configured. The
++ SSH_USE_STRONG_RNG environment variable determines how many bytes
++ of entropy to use. Make sure that the file
++ /etc/profile.d/cc-ssh-strong-rng.sh contains line
++ export SSH_USE_STRONG_RNG=32
.
++
++rationale: |-
++ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
++ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
++ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
++ the random number generator used by SSH would be known to potential attackers.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: CCE-83346-7
++
++references:
++ ospp: FCS_CKM.1.1
++ srg: SRG-OS-000480-GPOS-00227
++
++ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
++
++ocil: |-
++ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
++ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh
++ The output should be:
++ export SSH_USE_STRONG_RNG=32
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..8dc01bb3b5
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
+new file mode 100644
+index 0000000000..feab751995
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++rm -f /etc/profile.d/cc-ssh-strong-rng.sh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
+new file mode 100644
+index 0000000000..f77cfabfe4
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "#export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
+new file mode 100644
+index 0000000000..acbe72da2c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
++echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile.d/cc-ssh-strong-rng.sh
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
+new file mode 100644
+index 0000000000..38ce27729d
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
++echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
+new file mode 100644
+index 0000000000..2b3b0fbeca
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "export SSH_USE_STRONG_RNG=64" > /etc/profile.d/cc-ssh-strong-rng.sh
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 687b948b34..755573a6f9 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -427,6 +427,10 @@ selections:
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
+
++# configure ssh client to use strong entropy
++ - ssh_client_use_strong_rng_sh
++ - ssh_client_use_strong_rng_csh
++
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 8bbc01f0d5..4bfb91de9d 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -175,6 +175,8 @@ selections:
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
+ - ssh_client_rekey_limit
++- ssh_client_use_strong_rng_csh
++- ssh_client_use_strong_rng_sh
+ - sshd_disable_empty_passwords
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index e1915d648b..adace8fd54 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -199,6 +199,8 @@ selections:
+ - service_usbguard_enabled
+ - smartcard_configure_cert_checking
+ - ssh_client_rekey_limit
++- ssh_client_use_strong_rng_csh
++- ssh_client_use_strong_rng_sh
+ - sshd_disable_empty_passwords
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
diff --git a/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch b/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch
new file mode 100644
index 0000000..f8ae788
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch
@@ -0,0 +1,34 @@
+From 0df80531afcfe73d0025dac31f259bdf38c37cc0 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek
+Date: Tue, 1 Dec 2020 13:48:37 +0100
+Subject: [PATCH] fix wrong rule name in oval and change platform to machine
+
+---
+ .../bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml | 2 +-
+ .../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
+index a3e9b616a3..8d7197faed 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
+@@ -1,5 +1,5 @@
+
+-
++
+ {{{ oval_metadata("Ensure the kernel is configured to trust the CPU hardware random number generator.") }}}
+
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+index 3df57621a3..89ffe074e0 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+@@ -49,7 +49,7 @@ ocil: |-
+ If the command does not return any output, then the boot parameter is
+ missing.
+
+-platform: grub2
++platform: machine
+
+ template:
+ name: grub2_bootloader_argument
diff --git a/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff b/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff
new file mode 100644
index 0000000..18f1503
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff
@@ -0,0 +1,123 @@
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
+similarity index 100%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+similarity index 99%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+index 89ffe074e0..3df57621a3 100644
+--- a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+@@ -49,7 +49,7 @@ ocil: |-
+ If the command does not return any output, then the boot parameter is
+ missing.
+
+-platform: machine
++platform: grub2
+
+ template:
+ name: grub2_bootloader_argument
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
+similarity index 100%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh
+similarity index 100%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
+similarity index 100%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
+diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh
+similarity index 100%
+rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh
+rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 5944383e39..687b948b34 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -134,7 +134,7 @@ selections:
+ - grub2_vsyscall_argument.role=unscored
+ - grub2_vsyscall_argument.severity=info
+ - grub2_pti_argument
+- - kernel_trust_cpu_rng
++ - grub2_kernel_trust_cpu_rng
+
+ ## Security Settings
+ - sysctl_kernel_kptr_restrict
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index a11664fe28..8bbc01f0d5 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -84,6 +84,7 @@ selections:
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - grub2_disable_interactive_boot
++- grub2_kernel_trust_cpu_rng
+ - grub2_page_poison_argument
+ - grub2_pti_argument
+ - grub2_slub_debug_argument
+@@ -97,7 +98,6 @@ selections:
+ - kernel_module_firewire-core_disabled
+ - kernel_module_sctp_disabled
+ - kernel_module_tipc_disabled
+-- kernel_trust_cpu_rng
+ - mount_option_boot_nodev
+ - mount_option_boot_nosuid
+ - mount_option_dev_shm_nodev
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 5add9d462f..e1915d648b 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -29,6 +29,8 @@ selections:
+ - accounts_password_minlen_login_defs
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_difok
++- accounts_password_pam_enforce_local
++- accounts_password_pam_enforce_root
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_maxclassrepeat
+ - accounts_password_pam_maxrepeat
+@@ -39,6 +41,7 @@ selections:
+ - accounts_password_set_max_life_existing
+ - accounts_password_set_min_life_existing
+ - accounts_passwords_pam_faillock_deny
++- accounts_passwords_pam_faillock_enforce_local
+ - accounts_passwords_pam_faillock_interval
+ - accounts_passwords_pam_faillock_unlock_time
+ - accounts_umask_etc_bashrc
+@@ -103,6 +106,7 @@ selections:
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - grub2_disable_interactive_boot
++- grub2_kernel_trust_cpu_rng
+ - grub2_page_poison_argument
+ - grub2_pti_argument
+ - grub2_slub_debug_argument
+@@ -116,7 +120,6 @@ selections:
+ - kernel_module_firewire-core_disabled
+ - kernel_module_sctp_disabled
+ - kernel_module_tipc_disabled
+-- kernel_trust_cpu_rng
+ - mount_option_boot_nodev
+ - mount_option_boot_nosuid
+ - mount_option_dev_shm_nodev
+@@ -195,6 +198,7 @@ selections:
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
+ - smartcard_configure_cert_checking
++- ssh_client_rekey_limit
+ - sshd_disable_empty_passwords
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+@@ -272,8 +276,4 @@ selections:
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
+-- ssh_client_rekey_limit
+-- accounts_passwords_pam_faillock_enforce_local
+-- accounts_password_pam_enforce_local
+-- accounts_password_pam_enforce_root
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
diff --git a/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch b/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch
new file mode 100644
index 0000000..46fbb23
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch
@@ -0,0 +1,18 @@
+From 22bca4fc47160181133a9c85ab360b6acb8d768d Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek
+Date: Tue, 1 Dec 2020 09:32:58 +0100
+Subject: [PATCH 4/4] add new platform to usbguard group
+
+---
+ linux_os/guide/services/usbguard/group.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/services/usbguard/group.yml b/linux_os/guide/services/usbguard/group.yml
+index 1669bb7a6d..d386dd5f4f 100644
+--- a/linux_os/guide/services/usbguard/group.yml
++++ b/linux_os/guide/services/usbguard/group.yml
+@@ -5,3 +5,4 @@ title: 'USBGuard daemon'
+ description: |-
+ The USBGuard daemon enforces the USB device authorization policy for all USB devices.
+
++platform: not_s390x_arch
diff --git a/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch b/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch
new file mode 100644
index 0000000..de5db5b
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch
@@ -0,0 +1,429 @@
+From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001
+From: Gabe
+Date: Wed, 11 Nov 2020 15:14:51 -0700
+Subject: [PATCH] Add new pwquality.conf and faillock.conf rules
+
+- Add rule for enforcing password complexity for root
+- Add rules for enforcing pwquality and faillock for local users only
+- Enable SSH client for STIG
+- Part of #4978
+- Fixes #2706
+- Fixes #2174
+---
+ .../ansible/shared.yml | 12 ++++++
+ .../bash/shared.sh | 9 ++++
+ .../oval/shared.xml | 21 ++++++++++
+ .../rule.yml | 42 +++++++++++++++++++
+ .../ansible/shared.yml | 12 ++++++
+ .../bash/shared.sh | 9 ++++
+ .../oval/shared.xml | 21 ++++++++++
+ .../rule.yml | 42 +++++++++++++++++++
+ .../ansible/shared.yml | 12 ++++++
+ .../bash/shared.sh | 9 ++++
+ .../oval/shared.xml | 21 ++++++++++
+ .../rule.yml | 39 +++++++++++++++++
+ rhel8/profiles/stig.profile | 4 +-
+ .../oval/accounts_password_pam_faillock.xml | 26 ++++++++++++
+ .../data/profile_stability/rhel8/stig.profile | 4 ++
+ 16 files changed, 282 insertions(+), 4 deletions(-)
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
+ create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+ create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml
+
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
+new file mode 100644
+index 0000000000..6ead01fab5
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml
+@@ -0,0 +1,12 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: Ensure failed password attempts lockout only for local users
++ lineinfile:
++ create: yes
++ dest: "/etc/security/faillock.conf"
++ regexp: '^#?\s*local_users_only'
++ line: "local_users_only"
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
+new file mode 100644
+index 0000000000..8c43a8bb82
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh
+@@ -0,0 +1,9 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++if ! grep -q "^local_users_only" /etc/security/faillock.conf; then
++ sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
+new file mode 100644
+index 0000000000..8e8ce134b0
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml
+@@ -0,0 +1,21 @@
++
++
++ {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}}
++
++
++
++
++
++
++
++
++
++
++
++ /etc/security/faillock.conf
++ ^[\s]*local_users_only[\s]*$
++ 1
++
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
+new file mode 100644
+index 0000000000..a189ac68ec
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
+@@ -0,0 +1,42 @@
++documentation_complete: true
++
++prodtype: fedora,rhel8
++
++title: 'Enforce pam_faillock for Local Accounts Only'
++
++description: |-
++ The pam_faillock module's local_users_only parameter controls requirements for
++ enforcing failed lockout attempts only for local user accounts and ignoring
++ centralized user account management failed attempt configurations. Enable the local_users_only
++ setting in /etc/security/faillock.conf to require failed password attempts
++ for only local user accounts.
++
++rationale: |-
++ The operating system must provide automated mechanisms for supporting account management
++ functions. Enterprise environments make application account management challenging and
++ complex. A manual process for account management functions adds the risk of a potential
++ oversight or other error.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: CCE-83401-0
++
++references:
++ disa: CCI-000015
++ nist: AC-2(1)
++ srg: SRG-OS-000001-GPOS-00001
++
++ocil_clause: 'local_users_only is not uncommented or configured correctly'
++
++ocil: |-
++ To check if root user is required to use complex passwords, run the following command:
++ $ grep local_users_only /etc/security/faillock.conf
++ The output should return local_users_only uncommented.
++
++platform: pam
++
++warnings:
++ - management: |-
++ Using this rule bypasses pam_faillock's functionality and should be used in cases
++ where centralized management such as LDAP or Active Directory is in use.
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
+new file mode 100644
+index 0000000000..cebb406ad7
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml
+@@ -0,0 +1,12 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: Ensure password complexity only for local users
++ lineinfile:
++ create: yes
++ dest: "/etc/security/pwquality.conf"
++ regexp: '^#?\s*local_users_only'
++ line: "local_users_only"
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
+new file mode 100644
+index 0000000000..4049539796
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh
+@@ -0,0 +1,9 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then
++ sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
+new file mode 100644
+index 0000000000..794344e635
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml
+@@ -0,0 +1,21 @@
++
++
++ {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}}
++
++
++
++
++
++
++
++
++
++
++
++ /etc/security/pwquality.conf
++ ^[\s]*local_users_only[\s]*$
++ 1
++
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
+new file mode 100644
+index 0000000000..37f89b75b5
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
+@@ -0,0 +1,42 @@
++documentation_complete: true
++
++prodtype: fedora,rhel8
++
++title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only'
++
++description: |-
++ The pam_pwquality module's local_users_only parameter controls requirements for
++ enforcing password complexity by pam_pwquality only for local user accounts and ignoring
++ centralized user account management password complexity configurations. Enable the local_users_only
++ setting in /etc/security/pwquality.conf to require password complexity enforcement
++ for only local user accounts.
++
++rationale: |-
++ The operating system must provide automated mechanisms for supporting account management
++ functions. Enterprise environments make application account management challenging and
++ complex. A manual process for account management functions adds the risk of a potential
++ oversight or other error.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: CCE-83364-0
++
++references:
++ disa: CCI-000015
++ nist: AC-2(1)
++ srg: SRG-OS-000001-GPOS-00001
++
++ocil_clause: 'local_users_only is not uncommented or configured correctly'
++
++ocil: |-
++ To verify if password complexities are only enforce on local users, run the following command:
++ $ grep local_users_only /etc/security/pwquality.conf
++ The output should return local_users_only uncommented.
++
++platform: pam
++
++warnings:
++ - management: |-
++ Using this rule bypasses pam_faillock's functionality and should be used in cases
++ where centralized management such as LDAP or Active Directory is in use.
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
+new file mode 100644
+index 0000000000..516c5c1ae6
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml
+@@ -0,0 +1,12 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: Ensure password complexity for root user
++ lineinfile:
++ create: yes
++ dest: "/etc/security/pwquality.conf"
++ regexp: '^#?\s*enforce_for_root'
++ line: "enforce_for_root"
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
+new file mode 100644
+index 0000000000..97f45c6259
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh
+@@ -0,0 +1,9 @@
++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
++ sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf
++fi
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
+new file mode 100644
+index 0000000000..fccf5fd00e
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml
+@@ -0,0 +1,21 @@
++
++
++ {{{ oval_metadata("The password complexity requirements are enforced for root.") }}}
++
++
++
++
++
++
++
++
++
++
++
++ /etc/security/pwquality.conf
++ ^[\s]*enforce_for_root[\s]*$
++ 1
++
++
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+new file mode 100644
+index 0000000000..6aa1876e03
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+@@ -0,0 +1,39 @@
++documentation_complete: true
++
++prodtype: fedora,rhel8
++
++title: 'Ensure PAM Enforces Password Requirements - Enforce for root User'
++
++description: |-
++ The pam_pwquality module's enforce_for_root parameter controls requirements for
++ enforcing password complexity for the root user. Enable the enforce_for_root
++ setting in /etc/security/pwquality.conf to require the root user
++ to use complex passwords.
++
++rationale: |-
++ Use of a complex password helps to increase the time and resources required to compromise
++ the password. Password complexity, or strength, is a measure of the effectiveness of a
++ password in resisting attempts at guessing and brute-force attacks.
++
++ Password complexity is one factor of several that determines how long it takes to crack a
++ password. The more complex the password, the greater the number of possible combinations
++ that need to be tested before the password is compromised.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: CCE-83377-2
++
++references:
++ disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366
++ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
++ srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
++
++ocil_clause: 'enforce_for_root is not uncommented or configured correctly'
++
++ocil: |-
++ To verify if root user is required to use complex passwords, run the following command:
++ $ grep enforce_for_root /etc/security/pwquality.conf
++ The output should return enforce_for_root uncommented.
++
++platform: pam
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 15fe5c5bf9..b23cc05029 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -45,13 +45,15 @@ selections:
+ - package_audispd-plugins_installed
+ - package_libcap-ng-utils_installed
+ - auditd_audispd_syslog_plugin_activated
++ - accounts_passwords_pam_faillock_enforce_local
++ - accounts_password_pam_enforce_local
++ - accounts_password_pam_enforce_root
+
+ # Configure TLS for remote logging
+ - package_rsyslog_installed
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
+- - "!ssh_client_rekey_limit"
+
+ # Unselect zIPL rules from OSPP
+ - "!zipl_bls_entries_only"
+diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml
+new file mode 100644
+index 0000000000..c55c143ba5
+--- /dev/null
++++ b/shared/checks/oval/accounts_password_pam_faillock.xml
+@@ -0,0 +1,26 @@
++
++
++
++ Check pam_faillock Existence in system-auth
++
++ multi_platform_all
++
++ Check that pam_faillock.so exists in system-auth
++
++
++
++
++
++
++
++
++
++
++
++ /etc/pam.d/system-auth
++ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$
++ 1
++
++
++
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 569eed6636..5add9d462f 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -272,4 +272,8 @@ selections:
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
++- ssh_client_rekey_limit
++- accounts_passwords_pam_faillock_enforce_local
++- accounts_password_pam_enforce_local
++- accounts_password_pam_enforce_root
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
diff --git a/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch b/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch
new file mode 100644
index 0000000..6e4d8ea
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch
@@ -0,0 +1,50 @@
+From cfbba5a3d43551fd2d8cdc7afdfa2b1fd7e2d0a4 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker
+Date: Wed, 18 Nov 2020 14:12:26 +0100
+Subject: [PATCH 1/2] Make rsyslog_remote_tls regex case insensitive for
+ rsyslogs parameters.
+
+---
+ .../rsyslog_remote_tls/oval/shared.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
+index ead7a770fd..56f970b2cd 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
+@@ -16,11 +16,11 @@
+
+
+ ^/etc/rsyslog\.(conf|d/.+\.conf)$
+- ^\s*action\(type="omfwd"(.+?)\)
++ ^\s*action\((?i)type(?-i)="omfwd"(.+?)\)
+ 0
+
+
+
+- (?=[\S\s]*\sprotocol="tcp")(?=[\S\s]*\sTarget="[^"]+?")(?=[\S\s]*\sport="6514")(?=[\S\s]*\sStreamDriver="gtls")(?=[\S\s]*\sStreamDriverMode="1")(?=[\S\s]*\sStreamDriverAuthMode="x509/name")(?=[\S\s]*\sstreamdriver\.CheckExtendedKeyPurpose="on")
++ (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on")
+
+
+
+From 7fabf6bffca1e02fccf09f62564d65384b4cf2f8 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker
+Date: Wed, 18 Nov 2020 15:12:26 +0100
+Subject: [PATCH 2/2] Add test scenario for mixed case sensitivity.
+
+---
+ .../tests/correct_singleline_mixed_cases.pass.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh
+new file mode 100644
+index 0000000000..7e8455bb6c
+--- /dev/null
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++
++cat >> /etc/rsyslog.conf <
+Date: Wed, 9 Dec 2020 11:58:48 +0100
+Subject: [PATCH] Set platform package mapping to None for not_s390x_arch CPE.
+
+---
+ ssg/constants.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f5c0566928..589c955f02 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -337,6 +337,7 @@
+ "sssd": "sssd-common",
+ "zipl": "s390utils-base",
+ "sssd-ldap": None, # Force package check wrapping skip
++ "not_s390x_arch": None,
+ }
+
+ # _version_name_map = {
diff --git a/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch b/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch
new file mode 100644
index 0000000..503ac36
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch
@@ -0,0 +1,52 @@
+From a1ecfdad4c1187ccd645615b4b7b0e431e8a2d9d Mon Sep 17 00:00:00 2001
+From: Watson Sato
+Date: Mon, 7 Dec 2020 11:11:48 +0100
+Subject: [PATCH] Check kernel osrelease instead of using uname test
+
+Check /proc/sys/kernel/osrelease to get arch of system.
+uname test is not supported in offline mode
+---
+ ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 34 +++++++++++++++++++
+ 3 files changed, 35 insertions(+), 29 deletions(-)
+ create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+
+diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+new file mode 100644
+index 0000000000..1fc625a1e7
+--- /dev/null
++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+@@ -0,0 +1,34 @@
++
++
++
++ Test for different architecture than s390x
++
++ multi_platform_all
++
++ Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x
++
++
++
++
++
++
++
++
++
++
++
++ /proc/sys/kernel/osrelease
++ ^.*\.(.*)$
++ 1
++
++
++
++ ^s390x$
++
++
++
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index bb7a7bd..be83448 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.53
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -8,6 +8,18 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
+Patch1: scap-security-guide-0.1.54-add_rhel8_ospp_pam_whell-PR_6256.patch
+Patch2: scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch
+Patch3: scap-security-guide-0.1.54-pwquality_update-PR_6370.patch
+Patch4: scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff
+Patch5: scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff
+Patch6: scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch
+# Patches 7, 8 and 9 were stripped down to a build system without dynamically generated CPEs
+Patch7: scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch
+Patch8: scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch
+Patch9: scap-security-guide-0.1.54-set_package_not_s390x_arch_to_none-PR_6462.patch
+# Patch 10 adds platform not_s390_arch to the CPE dictionary manually
+Patch10: add_not_s390x_cpe_dictionary.diff
BuildArch: noarch
@@ -43,6 +55,16 @@ present in %{name} package.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
mkdir build
%build
@@ -77,6 +99,13 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Tue Dec 15 2020 Gabriel Becker - 0.1.53-3
+- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
+- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
+- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
+- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
+- Disable usbguard rules on s390x architecture (RHBZ#1899059)
+
* Thu Dec 03 2020 Watson Sato - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)