Blob Blame History Raw
From fdc04fed4ae88d0114540a524f5170b19e2b0d19 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 17:17:23 +0200
Subject: [PATCH 01/21] Enable audit rules in RHEL8 STIG.

---
 .../audit_rules_execution_chacl/rule.yml      |   2 +-
 .../audit_rules_execution_setfacl/rule.yml    |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 products/rhel8/profiles/stig.profile          | 171 +++++++++++-------
 6 files changed, 110 insertions(+), 71 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 8c8b0cbda8..28125b692b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
 
 title: 'Record Any Attempts to Run chacl'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index dcd62891f1..43fe86106c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
 
 title: 'Record Any Attempts to Run setfacl'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index d2ff46792c..dbba6f8636 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
 
 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
index 58d0aef7a5..b9f68d0712 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
 
 title: 'Record Any Attempts to Run ssh-agent'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index 6fa14649be..b4c8a8f2cb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: rhel8,sle12,sle15,ubuntu2004
 
 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod'
 
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index f66b2a24a7..c3eee7fae0 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -652,167 +652,206 @@ selections:
     # ************ #
 
     # RHEL-08-030121
-    # - audit_rules_immutable
+    - audit_rules_immutable
 
     # RHEL-08-030122
-    # - audit_immutable_login_uids
+    - audit_immutable_login_uids
 
     # RHEL-08-030130
-    # - audit_rules_usergroup_modification_shadow
+    - audit_rules_usergroup_modification_shadow
 
     # RHEL-08-030140
-    # - audit_rules_usergroup_modification_opasswd
+    - audit_rules_usergroup_modification_opasswd
 
     # RHEL-08-030150
-    # - audit_rules_usergroup_modification_passwd
+    - audit_rules_usergroup_modification_passwd
 
     # RHEL-08-030160
-    # - audit_rules_usergroup_modification_gshadow
+    - audit_rules_usergroup_modification_gshadow
 
     # RHEL-08-030170
-    # - audit_rules_usergroup_modification_group
+    - audit_rules_usergroup_modification_group
 
-    # RHEL-08-030171, RHEL-08-030172
+    # RHEL-08-030171
+    # should be split
     # - audit_rules_sysadmin_actions
 
+    # RHEL-08-030172
+    - audit_rules_sysadmin_actions
+
     # RHEL-08-030180
     - package_audit_installed
     - service_auditd_enabled
 
     # RHEL-08-030190
-    # - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_su
+
+    # RHEL-08-030200
+    - audit_rules_dac_modification_lremovexattr
+
+    # RHEL-08-030210
+    - audit_rules_dac_modification_removexattr
+
+    # RHEL-08-030220
+    - audit_rules_dac_modification_lsetxattr
 
-    # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240
-    # - audit_perm_change_failed
-    # - audit_perm_change_success
+    # RHEL-08-030230
+    - audit_rules_dac_modification_fsetxattr
+
+    # RHEL-08-030240
+    - audit_rules_dac_modification_fremovexattr
 
     # RHEL-08-030250
-    # - audit_rules_privileged_commands_chage
+    - audit_rules_privileged_commands_chage
 
     # RHEL-08-030260
-    # - audit_rules_execution_chcon
+    - audit_rules_execution_chcon
 
     # RHEL-08-030270
-    # - audit_perm_change_failed
-    # - audit_perm_change_success
+    - audit_rules_dac_modification_setxattr
 
     # RHEL-08-030280
+    - audit_rules_privileged_commands_ssh_agent
+
+    # RHEL-08-030290
+    - audit_rules_privileged_commands_passwd
 
-    # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301
-    # - audit_ospp_general
+    # RHEL-08-030300
+    - audit_rules_privileged_commands_mount
+
+    # RHEL-08-030301
+    - audit_rules_privileged_commands_umount
 
     # RHEL-08-030302
-    # - audit_rules_media_export
+    - audit_rules_media_export
 
     # RHEL-08-030310
+    # missing rule
 
     # RHEL-08-030311
-    # - audit_rules_privileged_commands_postdrop
+    - audit_rules_privileged_commands_postdrop
 
     # RHEL-08-030312
-    # - audit_rules_privileged_commands_postqueue
+    - audit_rules_privileged_commands_postqueue
 
     # RHEL-08-030313
-    # - audit_rules_execution_semanage
+    - audit_rules_execution_semanage
 
     # RHEL-08-030314
-    # - audit_rules_execution_setfiles
+    - audit_rules_execution_setfiles
 
     # RHEL-08-030315
-    # - audit_ospp_general
+    - audit_rules_privileged_commands_userhelper
 
     # RHEL-08-030316
-    # - audit_rules_execution_setsebool
+    - audit_rules_execution_setsebool
 
     # RHEL-08-030317
-    # - audit_ospp_general
+    - audit_rules_privileged_commands_unix_chkpwd
 
     # RHEL-08-030320
-    # - audit_rules_privileged_commands_ssh_keysign
+    - audit_rules_privileged_commands_ssh_keysign
 
     # RHEL-08-030330
+    - audit_rules_execution_setfacl
 
     # RHEL-08-030340
-    # - audit_rules_privileged_commands_pam_timestamp_check
+    - audit_rules_privileged_commands_pam_timestamp_check
 
     # RHEL-08-030350
-    # - audit_ospp_general
+    - audit_rules_privileged_commands_newgrp
 
     # RHEL-08-030360
-    # - audit_module_load
+    - audit_rules_kernel_module_loading_init
+
+    # RHEL-08-030361
+    - audit_rules_file_deletion_events_rename
 
-    # RHEL-08-030361, RHEL-08-030362
-    # - audit_delete_failed
-    # - audit_delete_success
+    # RHEL-08-030362
+    - audit_rules_file_deletion_events_renameat
 
     # RHEL-08-030363
+    - audit_rules_file_deletion_events_rmdir
 
-    # RHEL-08-030364, RHEL-08-030365
-    # - audit_delete_failed
-    # - audit_delete_success
+    # RHEL-08-030364
+    - audit_rules_file_deletion_events_unlink
+
+    # RHEL-08-030365
+    - audit_rules_file_deletion_events_unlinkat
 
     # RHEL-08-030370
-    # - audit_ospp_general
+    - audit_rules_privileged_commands_gpasswd
+
+    # RHEL-08-030380
+    - audit_rules_kernel_module_loading_finit
 
-    # RHEL-08-030380, RHEL-08-030390
-    # - audit_module_load
+    # RHEL-08-030390
+    - audit_rules_kernel_module_loading_delete
 
     # RHEL-08-030400
-    # - audit_ospp_general
+    - audit_rules_privileged_commands_crontab
 
     # RHEL-08-030410
-    # - audit_rules_privileged_commands_chsh
+    - audit_rules_privileged_commands_chsh
 
     # RHEL-08-030420
-    # - audit_modify_failed
-    # - audit_modify_success
+    - audit_rules_unsuccessful_file_modification_truncate
+
+    # RHEL-08-030430
+    - audit_rules_unsuccessful_file_modification_openat
+
+    # RHEL-08-030440
+    - audit_rules_unsuccessful_file_modification_open
 
-    # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450
-    # - audit_create_failed
-    # - audit_create_success
-    # - audit_modify_failed
-    # - audit_modify_success
-    # - audit_access_failed
-    # - audit_access_success
+    # RHEL-08-030450
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
 
     # RHEL-08-030460
-    # - audit_modify_failed
-    # - audit_modify_success
+    - audit_rules_unsuccessful_file_modification_ftruncate
 
     # RHEL-08-030470
-    # - audit_create_failed
-    # - audit_create_success
+    - audit_rules_unsuccessful_file_modification_creat
 
     # RHEL-08-030480
-    # - audit_owner_change_failed
-    # - audit_owner_change_success
+    - audit_rules_dac_modification_chown
 
     # RHEL-08-030490
-    # - audit_perm_change_failed
-    # - audit_perm_change_success
+    - audit_rules_dac_modification_chmod
+
+    # RHEL-08-030500
+    - audit_rules_dac_modification_lchown
+
+    # RHEL-08-030510
+    - audit_rules_dac_modification_fchownat
+
+    # RHEL-08-030520
+    - audit_rules_dac_modification_fchown
 
-    # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520
-    # - audit_owner_change_failed
-    # - audit_owner_change_success
+    # RHEL-08-030530
+    - audit_rules_dac_modification_fchmodat
 
-    # RHEL-08-030530, RHEL-08-030540
-    # - audit_perm_change_failed
-    # - audit_perm_change_success
+    # RHEL-08-030540
+    - audit_rules_dac_modification_fchmod
 
     # RHEL-08-030550
-    # - audit_rules_privileged_commands_sudo
+    - audit_rules_privileged_commands_sudo
 
     # RHEL-08-030560
+    - audit_rules_privileged_commands_usermod
 
     # RHEL-08-030570
+    - audit_rules_execution_chacl
 
     # RHEL-08-030580
+    - audit_rules_privileged_commands_kmod
 
     # RHEL-08-030590
+    # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
+    # implemented as it is the one that configures a different patch for the events of failing locks
     # - audit_rules_login_events_faillock
 
     # RHEL-08-030600
-    # - audit_rules_login_events_lastlog
+    - audit_rules_login_events_lastlog
 
     # RHEL-08-030601
     - grub2_audit_argument

From e88a8ad0bece18a8b7dcd350af9706134c827458 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:00:18 +0200
Subject: [PATCH 02/21] Update audit template to include perm=x for binaries.

---
 .../audit_rules_privileged_commands/ansible.template          | 2 +-
 .../templates/audit_rules_privileged_commands/bash.template   | 2 +-
 .../templates/audit_rules_privileged_commands/oval.template   | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index 0a0f06fba2..ec7b7d7605 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -26,7 +26,7 @@
       - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
   when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
 
 - name: Inserts/replaces the {{{ NAME }}} rule in rules.d
   lineinfile:
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 85dbc9b828..100a4770bf 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -7,7 +7,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
 GROUP="privileged"
 # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
 ARCH=""
-FULL_RULE="-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
+FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
 fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index c68df7671f..151a9d5d47 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -23,7 +23,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
 {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
@@ -36,7 +36,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["rhel8", "sle12", "sle15"] %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
 {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>

From 78134285266b3d559d8eb89d9dd4b68d37de7a26 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:01:57 +0200
Subject: [PATCH 03/21] Remove remediation that copies entire ospp audit rules
 file.

---
 .../bash/shared.sh                                          | 6 ------
 .../bash/shared.sh                                          | 6 ------
 .../bash/shared.sh                                          | 6 ------
 3 files changed, 18 deletions(-)
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
deleted file mode 100644
index c93a8d8805..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
deleted file mode 100644
index c93a8d8805..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh
deleted file mode 100644
index 1e021c4f80..0000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel
-#
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules

From e6cb5c196e18d9dddf4c1754a438e4a6b8f8b214 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:02:46 +0200
Subject: [PATCH 04/21] Use audit template in kmod privileged command.

Make SLE content specific to their product.
---
 .../ansible/{shared.yml => sle12.yml}         |  0
 .../ansible/sle15.yml                         | 42 +++++++++++++++++++
 .../oval/{shared.xml => sle12.xml}            |  0
 .../oval/sle15.xml                            | 39 +++++++++++++++++
 .../rule.yml                                  |  5 +++
 5 files changed, 86 insertions(+)
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/{shared.yml => sle12.yml} (100%)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
 rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/{shared.xml => sle12.xml} (100%)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
new file mode 100644
index 0000000000..6d128bc207
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml
@@ -0,0 +1,42 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Service facts
+  service_facts:
+
+- name: Check the rules script being used
+  command:
+    grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+  register: check_rules_scripts_result
+
+- name: Update kmod in /etc/audit/rules.d/audit.rules
+  lineinfile:
+    path: /etc/audit/rules.d/audit.rules
+    line: '-w /usr/bin/kmod -p x -k modules'
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"augenrules" in check_rules_scripts_result.stdout'
+  register: augenrules_audit_rules_kmod_update_result
+
+- name: Update kmod in /etc/audit/audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /usr/bin/kmod -p x -k modules'
+    create: yes
+  when:
+    - '"auditd.service" in ansible_facts.services'
+    - '"auditctl" in check_rules_scripts_result.stdout'
+  register: auditctl_audit_rules_kmod_update_result
+
+- name: Restart auditd.service
+  systemd:
+    name: auditd.service
+    state: restarted
+  when:
+    - (augenrules_audit_rules_kmod_update_result.changed or
+       auditctl_audit_rules_kmod_update_result.changed)
+    - ansible_facts.services["auditd.service"].state == "running"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml
similarity index 100%
rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml
rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml
new file mode 100644
index 0000000000..4fb3d2fc1c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml
@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_privileged_commands_kmod" version="1">
+    {{{ oval_metadata("Ensure audit rule for all uses of the kmod command is enabled.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules kmod" test_ref="test_kmod_augenrules" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl kmod" test_ref="test_kmod_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules kmod" id="test_kmod_augenrules" version="1">
+    <ind:object object_ref="object_kmod_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_kmod_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl kmod" id="test_kmod_auditctl" version="1">
+    <ind:object object_ref="object_kmod_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_kmod_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index dbba6f8636..168d5c51fc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -53,3 +53,8 @@ ocil: |-
     return a line, or the line is commented out, this is a finding.
 
 platform: machine
+
+template:
+    name: audit_rules_privileged_commands
+    vars:
+        path: /usr/bin/kmod

From 12e793f8340a48418214e73e05248e259c7d16b5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 28 Apr 2021 18:56:03 +0200
Subject: [PATCH 05/21] Extend audit_rules_dac_modification to support auid=0
 checking.

---
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  1 +
 .../rule.yml                                  |  1 +
 .../bash.template                             | 16 +++++-
 .../oval.template                             | 53 +++++++++++++++++++
 .../audit_rules_dac_modification/template.py  |  7 +++
 9 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 shared/templates/audit_rules_dac_modification/template.py

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index d5ff634e95..294a7ebfd2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -78,3 +78,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: fremovexattr
+        check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 034a22a987..9b01a07515 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -73,3 +73,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: fsetxattr
+        check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 2245a13e11..577af632aa 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -78,3 +78,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: lremovexattr
+        check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 6218e6fc10..d6be12af63 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -71,3 +71,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: lsetxattr
+        check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 6565d3fcc2..982d6d377c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -77,3 +77,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: removexattr
+        check_root_user: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 7babe9d2a7..71c31e2d15 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -73,3 +73,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: setxattr
+        check_root_user: "true"
diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index f0d3b6978a..a10a9145b2 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -9,7 +9,7 @@
 
 for ARCH in "${RULE_ARCHS[@]}"
 do
-	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*"
+	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*"
 	GROUP="perm_mod"
 	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
 
@@ -17,3 +17,17 @@ do
 	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
 	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
 done
+
+
+{{% if CHECK_ROOT_USER %}}
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"
+	GROUP="perm_mod"
+	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done
+{{% endif %}}
diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template
index 5b1bf5dc6d..6e02cc7f09 100644
--- a/shared/templates/audit_rules_dac_modification/oval.template
+++ b/shared/templates/audit_rules_dac_modification/oval.template
@@ -7,11 +7,19 @@
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
         <criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% if CHECK_ROOT_USER %}}
+        <criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+{{% endif %}}
+        
         <criteria operator="OR">
           <!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
           <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
           <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
           <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% if CHECK_ROOT_USER %}}
+          <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+{{% endif %}}
+
         </criteria>
       </criteria>
 
@@ -19,11 +27,17 @@
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
         <criterion comment="audit auditctl 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_auditctl" />
+{{% if CHECK_ROOT_USER %}}
+        <criterion comment="audit auditctl 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+{{% endif %}}
         <criteria operator="OR">
           <!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
           <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
           <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
           <criterion comment="audit auditctl 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_auditctl" />
+{{% if CHECK_ROOT_USER %}}
+          <criterion comment="audit auditctl 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+{{% endif %}}
         </criteria>
       </criteria>
 
@@ -66,4 +80,43 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if CHECK_ROOT_USER %}}
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit {{{ ATTR }}} auid=0" id="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+    <ind:object object_ref="object_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit {{{ ATTR }}}" id="test_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+    <ind:object object_ref="object_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit {{{ ATTR }}}" id="test_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+    <ind:object object_ref="object_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_32bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit {{{ ATTR }}}" id="test_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+    <ind:object object_ref="object_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_64bit_ardm_{{{ ATTR }}}_auditctl_auid_0" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>
diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py
new file mode 100644
index 0000000000..e12e9c27e5
--- /dev/null
+++ b/shared/templates/audit_rules_dac_modification/template.py
@@ -0,0 +1,7 @@
+from ssg.utils import parse_template_boolean_value
+
+
+def preprocess(data, lang):
+    data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)
+
+    return data

From af8b663e00889010ac4d99fb0988aacf6b3ce651 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 17 May 2021 18:07:30 +0200
Subject: [PATCH 06/21] Simplify perm=x code around
 audit_rules_privileged_commands template.

Also change the OVAL check regex to make it mandatory by removing the ?
character from the regex.
---
 .../oval.template                             |  4 +--
 .../ansible.template                          | 26 ++++---------------
 .../bash.template                             |  5 +++-
 .../oval.template                             | 15 ++++-------
 4 files changed, 16 insertions(+), 34 deletions(-)

diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template
index 6e02cc7f09..8f30bef022 100644
--- a/shared/templates/audit_rules_dac_modification/oval.template
+++ b/shared/templates/audit_rules_dac_modification/oval.template
@@ -10,14 +10,14 @@
 {{% if CHECK_ROOT_USER %}}
         <criterion comment="audit augenrules 32-bit {{{ ATTR }}}" test_ref="test_32bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
 {{% endif %}}
-        
+
         <criteria operator="OR">
           <!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ ATTR }}} audit DAC rule -->
           <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
           <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ ATTR }}} audit DAC rule -->
           <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
 {{% if CHECK_ROOT_USER %}}
-          <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules" />
+          <criterion comment="audit augenrules 64-bit {{{ ATTR }}}" test_ref="test_64bit_ardm_{{{ ATTR }}}_augenrules_auid_0" />
 {{% endif %}}
 
         </criteria>
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index ec7b7d7605..a245de6673 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = restrict
@@ -26,12 +29,11 @@
       - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}"
   when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0
 
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
 
 - name: Inserts/replaces the {{{ NAME }}} rule in rules.d
   lineinfile:
     path: "{{ all_files[0] }}"
-    line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+    line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
     create: yes
 
 # Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
@@ -39,23 +41,5 @@
 - name: Inserts/replaces the {{{ NAME }}} rule in audit.rules
   lineinfile:
     path: /etc/audit/audit.rules
-    line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+    line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
     create: yes
-
-{{% else %}}
-
-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d
-  lineinfile:
-    path: "{{ all_files[0] }}"
-    line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-    create: yes
-
-# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules
-
-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules
-  lineinfile:
-    path: /etc/audit/audit.rules
-    line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-    create: yes
-
-{{% endif %}}
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 100a4770bf..2b3795674f 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
 
 # Include source function library.
@@ -7,7 +10,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*"
 GROUP="privileged"
 # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
 ARCH=""
-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
+FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged"
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
 fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index 151a9d5d47..8e3919ca66 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -1,3 +1,6 @@
+{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+  {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
+{{%- endif %}}
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
     {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}}
@@ -23,11 +26,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% else %}}
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% endif %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -36,11 +35,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-{{% if product in ["rhel8", "sle12", "sle15"] %}}
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% else %}}
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-{{% endif %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

From 4cf80fd7eff49d6e14852947e76a302ca2993db7 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:04:14 +0200
Subject: [PATCH 07/21] Fix audit bash remediation to remove the auid!=unset
 when using auid=0.

---
 shared/templates/audit_rules_dac_modification/bash.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template
index a10a9145b2..d64d264635 100644
--- a/shared/templates/audit_rules_dac_modification/bash.template
+++ b/shared/templates/audit_rules_dac_modification/bash.template
@@ -24,7 +24,7 @@ for ARCH in "${RULE_ARCHS[@]}"
 do
 	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*"
 	GROUP="perm_mod"
-	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

From 0833b43bfa039c4ee661049fb25b86ef3854b614 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:04:55 +0200
Subject: [PATCH 08/21] Update audit_rules_dac_modification ansible remediation
 with auid=0 fix.

---
 .../ansible.template                          | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
index 70101ca777..d048978456 100644
--- a/shared/templates/audit_rules_dac_modification/ansible.template
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
@@ -40,12 +40,29 @@
     line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
     create: yes
 
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86
+  lineinfile:
+    path: "{{ all_files[0] }}"
+    line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+    create: yes
+{{%- endif %}}
+
 - name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64
   lineinfile:
     path: "{{ all_files[0] }}"
     line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
     create: yes
   when: audit_arch is defined and audit_arch == 'b64'
+
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64
+  lineinfile:
+    path: "{{ all_files[0] }}"
+    line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+    create: yes
+  when: audit_arch is defined and audit_arch == 'b64'
+{{%- endif %}}
 #   
 # Inserts/replaces the rule in /etc/audit/audit.rules
 #
@@ -56,6 +73,15 @@
     dest: /etc/audit/audit.rules
     create: yes
 
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86
+  lineinfile:
+    line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod"
+    state: present
+    dest: /etc/audit/audit.rules
+    create: yes
+{{%- endif %}}
+
 - name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64
   lineinfile:
     line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod"
@@ -63,3 +89,13 @@
     dest: /etc/audit/audit.rules
     create: yes
   when: audit_arch is defined and audit_arch == 'b64'
+
+{{%- if CHECK_ROOT_USER %}}
+- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64
+  lineinfile:
+    line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod"
+    state: present
+    dest: /etc/audit/audit.rules
+    create: yes
+  when: audit_arch is defined and audit_arch == 'b64'
+{{%- endif %}}

From 314251db8fbff07ac4b796944381f9bb1eef05c2 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 15:05:42 +0200
Subject: [PATCH 09/21] Update audit_rules_dac_modification rules description.

Make the check_user_root template parameter only applicable to RHEL8.
---
 .../rule.yml                                       | 14 +++++++++++++-
 .../rule.yml                                       | 14 +++++++++++++-
 .../rule.yml                                       | 14 +++++++++++++-
 .../rule.yml                                       | 14 +++++++++++++-
 .../rule.yml                                       | 14 +++++++++++++-
 .../audit_rules_dac_modification_setxattr/rule.yml | 14 +++++++++++++-
 6 files changed, 78 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index 294a7ebfd2..e1a2492c4c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -11,17 +11,29 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -78,4 +90,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: fremovexattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 9b01a07515..4c27cbf7fb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -73,4 +85,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: fsetxattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 577af632aa..ad034bc570 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -11,17 +11,29 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -78,4 +90,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: lremovexattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index d6be12af63..a3895bd4c7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -71,4 +83,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: lsetxattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index 982d6d377c..eee86b99de 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -10,17 +10,29 @@ description: |-
     program to read audit rules during daemon startup (the default), add the
     following line to a file with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -77,4 +89,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: removexattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 71c31e2d15..4a90ed9f96 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -9,14 +9,26 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
+{{%- if product in ["rhel8"] %}}
+    <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
+{{%- endif %}}
 
 rationale: |-
     The changing of file permissions could indicate that a user is attempting to
@@ -73,4 +85,4 @@ template:
     name: audit_rules_dac_modification
     vars:
         attr: setxattr
-        check_root_user: "true"
+        check_root_user@rhel8: "true"

From 48ce4b6e4803f92291c44acc990bd6a61baf4128 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 30 Jul 2021 16:54:48 +0200
Subject: [PATCH 10/21] Remove rule that is selected twice in RHEL8 STIG
 profile.

It's already part of the following STIG id:
    # RHEL-08-010560
    - service_auditd_enabled
---
 products/rhel8/profiles/stig.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index c3eee7fae0..3cbb4796ac 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -681,7 +681,6 @@ selections:
 
     # RHEL-08-030180
     - package_audit_installed
-    - service_auditd_enabled
 
     # RHEL-08-030190
     - audit_rules_privileged_commands_su

From 7f23cee71a3fc1791b26c4e59339d73063fe867e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 2 Aug 2021 15:36:55 +0200
Subject: [PATCH 11/21] Fix RHEL8 STIG id references in audit rules.

---
 .../audit_rules_dac_modification_chmod/rule.yml             | 3 ++-
 .../audit_rules_dac_modification_chown/rule.yml             | 3 ++-
 .../audit_rules_dac_modification_fchmod/rule.yml            | 3 ++-
 .../audit_rules_dac_modification_fchmodat/rule.yml          | 3 ++-
 .../audit_rules_dac_modification_fchown/rule.yml            | 3 ++-
 .../audit_rules_dac_modification_fchownat/rule.yml          | 3 ++-
 .../audit_rules_dac_modification_fremovexattr/rule.yml      | 3 ++-
 .../audit_rules_dac_modification_fsetxattr/rule.yml         | 3 ++-
 .../audit_rules_dac_modification_lchown/rule.yml            | 3 ++-
 .../audit_rules_dac_modification_lremovexattr/rule.yml      | 3 ++-
 .../audit_rules_dac_modification_lsetxattr/rule.yml         | 3 ++-
 .../audit_rules_dac_modification_removexattr/rule.yml       | 5 +++--
 .../audit_rules_dac_modification_setxattr/rule.yml          | 3 ++-
 .../audit_rules_execution_chacl/rule.yml                    | 4 +++-
 .../audit_rules_execution_setfacl/rule.yml                  | 4 +++-
 .../audit_rules_execution_chcon/rule.yml                    | 3 ++-
 .../audit_rules_execution_semanage/rule.yml                 | 5 +++--
 .../audit_rules_execution_setfiles/rule.yml                 | 5 +++--
 .../audit_rules_execution_setsebool/rule.yml                | 5 +++--
 .../audit_rules_file_deletion_events_rename/rule.yml        | 5 +++--
 .../audit_rules_file_deletion_events_renameat/rule.yml      | 5 +++--
 .../audit_rules_file_deletion_events_rmdir/rule.yml         | 5 +++--
 .../audit_rules_file_deletion_events_unlink/rule.yml        | 5 +++--
 .../audit_rules_file_deletion_events_unlinkat/rule.yml      | 5 +++--
 .../rule.yml                                                | 3 ++-
 .../rule.yml                                                | 3 ++-
 .../rule.yml                                                | 3 ++-
 .../rule.yml                                                | 3 ++-
 .../rule.yml                                                | 3 ++-
 .../rule.yml                                                | 5 +++--
 .../audit_rules_kernel_module_loading_delete/rule.yml       | 3 ++-
 .../audit_rules_kernel_module_loading_finit/rule.yml        | 3 ++-
 .../audit_rules_kernel_module_loading_init/rule.yml         | 3 ++-
 .../audit_rules_login_events_lastlog/rule.yml               | 4 ++--
 .../audit_rules_privileged_commands_chage/rule.yml          | 5 +++--
 .../audit_rules_privileged_commands_chsh/rule.yml           | 5 +++--
 .../audit_rules_privileged_commands_crontab/rule.yml        | 5 +++--
 .../audit_rules_privileged_commands_gpasswd/rule.yml        | 5 +++--
 .../audit_rules_privileged_commands_kmod/rule.yml           | 4 +++-
 .../audit_rules_privileged_commands_mount/rule.yml          | 1 +
 .../audit_rules_privileged_commands_newgrp/rule.yml         | 5 +++--
 .../rule.yml                                                | 5 +++--
 .../audit_rules_privileged_commands_passwd/rule.yml         | 5 +++--
 .../audit_rules_privileged_commands_postdrop/rule.yml       | 5 +++--
 .../audit_rules_privileged_commands_postqueue/rule.yml      | 5 +++--
 .../audit_rules_privileged_commands_ssh_agent/rule.yml      | 6 ++++--
 .../audit_rules_privileged_commands_ssh_keysign/rule.yml    | 5 +++--
 .../audit_rules_privileged_commands_su/rule.yml             | 5 +++--
 .../audit_rules_privileged_commands_sudo/rule.yml           | 5 +++--
 .../audit_rules_privileged_commands_umount/rule.yml         | 1 +
 .../audit_rules_privileged_commands_unix_chkpwd/rule.yml    | 3 ++-
 .../audit_rules_privileged_commands_userhelper/rule.yml     | 5 +++--
 .../audit_rules_privileged_commands_usermod/rule.yml        | 4 +++-
 .../auditd_configure_rules/audit_rules_immutable/rule.yml   | 2 ++
 .../audit_rules_media_export/rule.yml                       | 5 +++--
 .../audit_rules_sysadmin_actions/rule.yml                   | 2 +-
 .../audit_rules_usergroup_modification_group/rule.yml       | 4 ++--
 .../audit_rules_usergroup_modification_gshadow/rule.yml     | 4 ++--
 .../audit_rules_usergroup_modification_opasswd/rule.yml     | 4 ++--
 .../audit_rules_usergroup_modification_passwd/rule.yml      | 4 ++--
 .../audit_rules_usergroup_modification_shadow/rule.yml      | 4 ++--
 .../guide/system/auditing/grub2_audit_argument/rule.yml     | 2 +-
 .../policy_rules/audit_immutable_login_uids/rule.yml        | 3 ++-
 products/rhel8/profiles/stig.profile                        | 2 +-
 shared/references/cce-redhat-avail.txt                      | 5 -----
 65 files changed, 153 insertions(+), 97 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
index 4cb9bb5cf4..bc3e47523f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
     stigid@ol7: OL07-00-030410
     stigid@rhel7: RHEL-07-030410
+    stigid@rhel8: RHEL-08-030490
     stigid@sle12: SLES-12-020460
     stigid@sle15: SLES-15-030290
     stigid@ubuntu2004: UBTU-20-010152
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
index cbac49dd12..6b3236cf95 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
     stigid@ol7: OL07-00-030370
     stigid@rhel7: RHEL-07-030370
+    stigid@rhel8: RHEL-08-030480
     stigid@sle12: SLES-12-020420
     stigid@sle15: SLES-15-030250
     stigid@ubuntu2004: UBTU-20-010148
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index 81f2f067ba..ed4d88cb0c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
     stigid@ol7: OL07-00-030420
     stigid@rhel7: RHEL-07-030420
+    stigid@rhel8: RHEL-08-030540
     stigid@sle12: SLES-12-020470
     stigid@sle15: SLES-15-030300
     stigid@ubuntu2004: UBTU-20-010153
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index 7fcf1c7ef1..2db3878939 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
     stigid@ol7: OL07-00-030430
     stigid@rhel7: RHEL-07-030430
+    stigid@rhel8: RHEL-08-030530
     stigid@sle12: SLES-12-020480
     stigid@sle15: SLES-12-030310
     stigid@ubuntu2004: UBTU-20-010154
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index d696862377..37dfb89ef2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -55,9 +55,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
     stigid@ol7: OL07-00-030380
     stigid@rhel7: RHEL-07-030380
+    stigid@rhel8: RHEL-08-030520
     stigid@sle12: SLES-12-020430
     stigid@sle15: SLES-15-030260
     stigid@ubuntu2004: UBTU-20-010149
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index 0213d78fbc..f75ac769d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
     stigid@ol7: OL07-00-030400
     stigid@rhel7: RHEL-07-030400
+    stigid@rhel8: RHEL-08-030510
     stigid@sle12: SLES-12-020450
     stigid@sle15: SLES-15-030280
     stigid@ubuntu2004: UBTU-20-010150
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index e1a2492c4c..d46968da8f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -69,9 +69,10 @@ references:
     nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
     stigid@ol7: OL07-00-030480
     stigid@rhel7: RHEL-07-030480
+    stigid@rhel8: RHEL-08-030240
     stigid@sle12: SLES-12-020410
     stigid@sle15: SLES-15-030210
     stigid@ubuntu2004: UBTU-20-010147
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 4c27cbf7fb..564daccaed 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -64,9 +64,10 @@ references:
     nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
     stigid@ol7: OL07-00-030450
     stigid@rhel7: RHEL-07-030450
+    stigid@rhel8: RHEL-08-030230
     stigid@sle12: SLES-12-020380
     stigid@sle15: SLES-15-030230
     stigid@ubuntu2004: UBTU-20-010144
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index 6e2432f309..edc053bfb3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -52,9 +52,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
     stigid@ol7: OL07-00-030390
     stigid@rhel7: RHEL-07-030390
+    stigid@rhel8: RHEL-08-030500
     stigid@sle12: SLES-12-020440
     stigid@sle15: SLES-15-030270
     stigid@ubuntu2004: UBTU-20-010151
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index ad034bc570..2ae0f11c58 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -69,9 +69,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
     stigid@ol7: OL07-00-030490
     stigid@rhel7: RHEL-07-030490
+    stigid@rhel8: RHEL-08-030200
     stigid@sle12: SLES-12-020400
     stigid@sle15: SLES-15-030200
     stigid@ubuntu2004: UBTU-20-010146
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index a3895bd4c7..945ad560d7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -63,9 +63,10 @@ references:
     nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
     stigid@ol7: OL07-00-030460
     stigid@rhel7: RHEL-07-030460
+    stigid@rhel8: RHEL-08-030220
     stigid@sle15: SLES-15-030240
     stigid@ubuntu2004: UBTU-20-010143
     vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index eee86b99de..e6d7374b7f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -17,7 +17,7 @@ description: |-
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
 {{%- if product in ["rhel8"] %}}
-    <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
+    <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
@@ -68,9 +68,10 @@ references:
     nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
     stigid@ol7: OL07-00-030470
     stigid@rhel7: RHEL-07-030470
+    stigid@rhel8: RHEL-08-030210
     stigid@sle12: SLES-12-020390
     stigid@sle15: SLES-15-030190
     stigid@ubuntu2004: UBTU-20-010145
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 4a90ed9f96..ab15167508 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -64,9 +64,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.5.5
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203
     stigid@ol7: OL07-00-030440
     stigid@rhel7: RHEL-07-030440
+    stigid@rhel8: RHEL-08-030270
     stigid@sle12: SLES-12-020370
     stigid@sle15: SLES-15-030220
     stigid@ubuntu2004: UBTU-20-010142
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 28125b692b..0c71e4ac24 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -27,13 +27,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89446-9
     cce@sle12: CCE-83190-9
     cce@sle15: CCE-85595-7
 
 references:
     disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
     nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
+    stigid@rhel8: RHEL-08-030570
     stigid@sle12: SLES-12-020620
     stigid@sle15: SLES-15-030440
     stigid@ubuntu2004: UBTU-20-010168
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index 43fe86106c..89c134a0fa 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -27,13 +27,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88437-9
     cce@sle12: CCE-83189-1
     cce@sle15: CCE-85594-0
 
 references:
     disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
     nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    stigid@rhel8: RHEL-08-030330
     stigid@sle12: SLES-12-020610
     stigid@sle15: SLES-15-030430
     stigid@ubuntu2004: UBTU-20-010167
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
index b50e27b810..0c6781c7d5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
@@ -60,9 +60,10 @@ references:
     nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a)
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii)AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
     stigid@ol7: OL07-00-030580
     stigid@rhel7: RHEL-07-030580
+    stigid@rhel8: RHEL-08-030260
     stigid@sle12: SLES-12-020630
     stigid@sle15: SLES-15-030450
     stigid@ubuntu2004: UBTU-20-010165
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
index 2ad3b555b5..b609c3dfc2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -40,7 +40,7 @@ references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -49,9 +49,10 @@ references:
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
     stigid@ol7: OL07-00-030560
     stigid@rhel7: RHEL-07-030560
+    stigid@rhel8: RHEL-08-030313
     vmmsrg: SRG-OS-000463-VMM-001850
 
 ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
index eb8bd19edb..9de7407f4c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -37,11 +37,12 @@ identifiers:
     cce@rhel9: CCE-83736-9
 
 references:
-    disa: CCI-000172,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-002884
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
-    srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
     stigid@ol7: OL07-00-030590
     stigid@rhel7: RHEL-07-030590
+    stigid@rhel8: RHEL-08-030314
     vmmsrg: SRG-OS-000463-VMM-001850
 
 ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
index 5544175f39..23504bab4a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -40,7 +40,7 @@ references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -48,9 +48,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209
     stigid@ol7: OL07-00-030570
     stigid@rhel7: RHEL-07-030570
+    stigid@rhel8: RHEL-08-030316
     vmmsrg: SRG-OS-000463-VMM-001850
 
 ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
index fe72f59697..9dd83f6dba 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
@@ -37,7 +37,7 @@ references:
     cis@ubuntu2004: 4.1.13
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-000366,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
     stigid@ol7: OL07-00-030880
     stigid@rhel7: RHEL-07-030880
+    stigid@rhel8: RHEL-08-030361
     stigid@ubuntu2004: UBTU-20-010269
     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
index 3508352514..cd9aa9f5e6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -37,7 +37,7 @@ references:
     cis@ubuntu2004: 4.1.13
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-000366,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
     stigid@ol7: OL07-00-030890
     stigid@rhel7: RHEL-07-030890
+    stigid@rhel8: RHEL-08-030362
     stigid@ubuntu2004: UBTU-20-010270
     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
index 994cf0e087..6e0bb755b0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
@@ -36,7 +36,7 @@ references:
     cis@rhel8: 4.1.14
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-000366,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -45,9 +45,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
     stigid@ol7: OL07-00-030900
     stigid@rhel7: RHEL-07-030900
+    stigid@rhel8: RHEL-08-030363
     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
 
 {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
index 330221f9c6..be4e328b7c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
@@ -37,7 +37,7 @@ references:
     cis@ubuntu2004: 4.1.13
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-000366,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
     stigid@ol7: OL07-00-030910
     stigid@rhel7: RHEL-07-030910
+    stigid@rhel8: RHEL-08-030364
     stigid@ubuntu2004: UBTU-20-010267
     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
index 14ef50bb2b..eaf8f1e08b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
@@ -37,7 +37,7 @@ references:
     cis@ubuntu2004: 4.1.13
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-000366,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
     stigid@ol7: OL07-00-030920
     stigid@rhel7: RHEL-07-030920
+    stigid@rhel8: RHEL-08-030365
     stigid@ubuntu2004: UBTU-20-010268
     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index d793c73d87..08cc99133a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -57,9 +57,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030500
     stigid@rhel7: RHEL-07-030500
+    stigid@rhel8: RHEL-08-030470
     stigid@sle12: SLES-12-020520
     stigid@sle15: SLES-15-030160
     stigid@ubuntu2004: UBTU-20-010158
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index e8990ac8c0..e9b688b9b4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -60,9 +60,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030550
     stigid@rhel7: RHEL-07-030550
+    stigid@rhel8: RHEL-08-030460
     stigid@sle12: SLES-12-020510
     stigid@sle15: SLES-15-030320
     stigid@ubuntu2004: UBTU-20-010157
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 8324307284..6e24227007 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -60,9 +60,10 @@ references:
     nist@sle15: AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030510
     stigid@rhel7: RHEL-07-030510
+    stigid@rhel8: RHEL-08-030440
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
     stigid@ubuntu2004: UBTU-20-010155
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index f83c285dd2..2b6008fce1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -56,9 +56,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030530
     stigid@rhel7: RHEL-07-030530
+    stigid@rhel8: RHEL-08-030450
     stigid@sle12: SLES-12-020540
     stigid@sle15: SLES-15-030180
     stigid@ubuntu2004: UBTU-20-010160
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index 15311727d6..308e3da789 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -60,9 +60,10 @@ references:
     nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030520
     stigid@rhel7: RHEL-07-030520
+    stigid@rhel8: RHEL-08-030430
     stigid@sle12: SLES-12-020530
     stigid@sle15: SLES-15-030170
     stigid@ubuntu2004: UBTU-20-010159
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
index 5d8e55087d..6ab8d28917 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -50,7 +50,7 @@ references:
     cis@ubuntu2004: 4.1.10
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000172,CCI-002884
+    disa: CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -59,9 +59,10 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
     stigid@ol7: OL07-00-030540
     stigid@rhel7: RHEL-07-030540
+    stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020500
     stigid@sle15: SLES-15-030610
     stigid@ubuntu2004: UBTU-20-010156
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
index 48d0b501a3..052d21b4f0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -48,9 +48,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
     stigid@ol7: OL07-00-030830
     stigid@rhel7: RHEL-07-030830
+    stigid@rhel8: RHEL-08-030390
     stigid@sle12: SLES-12-020730
     stigid@sle15: SLES-15-030520
     stigid@ubuntu2004: UBTU-20-010302
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index 1457d423bf..aa17002321 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -47,9 +47,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
     stigid@ol7: OL07-00-030821
     stigid@rhel7: RHEL-07-030821
+    stigid@rhel8: RHEL-08-030380
     stigid@sle12: SLES-12-020740
     stigid@sle15: SLES-15-030530
     stigid@ubuntu2004: UBTU-20-010180
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
index 53b9accfd8..1d8260432e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -47,9 +47,10 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
     stigid@ol7: OL07-00-030820
     stigid@rhel7: RHEL-07-030820
+    stigid@rhel8: RHEL-08-030360
     stigid@sle12: SLES-12-020750
     stigid@sle15: SLES-15-030540
     stigid@ubuntu2004: UBTU-20-010179
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
index f981f0143c..25f578b1f6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -39,7 +39,7 @@ references:
     cis@ubuntu2004: 4.1.7
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000126,CCI-000172,CCI-002884
+    disa: CCI-000126,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -48,7 +48,7 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.3
-    srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214
     stigid@ol7: OL07-00-030620
     stigid@rhel7: RHEL-07-030620
     stigid@rhel8: RHEL-08-030600
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
index 426f1debed..474910c4c8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
@@ -43,7 +43,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
     nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030660
     stigid@rhel7: RHEL-07-030660
+    stigid@rhel8: RHEL-08-030250
     stigid@sle12: SLES-12-020690
     stigid@sle15: SLES-15-030120
     stigid@ubuntu2004: UBTU-20-010175
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
index a31dd7eddb..3ca968a543 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
@@ -43,7 +43,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
     nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030720
     stigid@rhel7: RHEL-07-030720
+    stigid@rhel8: RHEL-08-030410
     stigid@sle12: SLES-12-020580
     stigid@sle15: SLES-15-030100
     stigid@ubuntu2004: UBTU-20-010163
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index 6146418c75..7c5058c7f8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -43,16 +43,17 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030800
     stigid@rhel7: RHEL-07-030800
+    stigid@rhel8: RHEL-08-030400
     stigid@sle12: SLES-12-020710
     stigid@sle15: SLES-15-030130
     stigid@ubuntu2004: UBTU-20-010177
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
index a9f782bb64..0c7bf84268 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
@@ -43,7 +43,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030650
     stigid@rhel7: RHEL-07-030650
+    stigid@rhel8: RHEL-08-030370
     stigid@sle12: SLES-12-020560
     stigid@sle15: SLES-15-030080
     stigid@ubuntu2004: UBTU-20-010174
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index 168d5c51fc..851dd5aa3d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -28,13 +28,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89455-0
     cce@sle12: CCE-83207-1
     cce@sle15: CCE-85591-6
 
 references:
     disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
     nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a)
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    stigid@rhel8: RHEL-08-030580
     stigid@sle12: SLES-12-020360
     stigid@sle15: SLES-15-030410
     stigid@ubuntu2004: UBTU-20-010297
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
index 01c7a7ea92..cc423c4146 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -46,6 +46,7 @@ references:
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030740
     stigid@rhel7: RHEL-07-030740
+    stigid@rhel8: RHEL-08-030300
     stigid@sle12: SLES-12-020290
     stigid@sle15: SLES-15-030350
     stigid@ubuntu2004: UBTU-20-010138
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
index 53ee78dc10..edbb41f3d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
@@ -43,7 +43,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000130,CCI-000169,CCI-000135,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030710
     stigid@rhel7: RHEL-07-030710
+    stigid@rhel8: RHEL-08-030350
     stigid@sle12: SLES-12-020570
     stigid@sle15: SLES-15-030090
     stigid@ubuntu2004: UBTU-20-010164
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index 5753e20e9e..f5a3a4be02 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -50,16 +50,17 @@ references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030810
     stigid@rhel7: RHEL-07-030810
+    stigid@rhel8: RHEL-08-030340
     stigid@sle12: SLES-12-020720
     stigid@sle15: SLES-15-030510
     stigid@ubuntu2004: UBTU-20-010178
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 6792cad002..06b5cfc4ae 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -42,7 +42,7 @@ references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
     nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030630
     stigid@rhel7: RHEL-07-030630
+    stigid@rhel8: RHEL-08-030280
     stigid@sle12: SLES-12-020550
     stigid@sle15: SLES-15-030070
     stigid@ubuntu2004: UBTU-20-010172
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
index 4080c66b8d..8f90c9c211 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
@@ -41,16 +41,17 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030760
     stigid@rhel7: RHEL-07-030760
+    stigid@rhel8: RHEL-08-030311
     vmmsrg: SRG-OS-000471-VMM-001910
 
 ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
index 96308029f9..e913e83a0b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
@@ -41,16 +41,17 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030770
     stigid@rhel7: RHEL-07-030770
+    stigid@rhel8: RHEL-08-030312
     vmmsrg: SRG-OS-000471-VMM-001910
 
 ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
index b9f68d0712..f2ebca4550 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml
@@ -28,14 +28,16 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-85944-7
     cce@sle12: CCE-83199-0
     cce@sle15: CCE-85590-8
 
 references:
     cis@ubuntu2004: 4.1.11
-    disa: CCI-000130,CCI-000172
+    disa: CCI-000130,CCI-000169,CCI-000172
     nist@sle12: AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    stigid@rhel8: RHEL-08-030280
     stigid@sle12: SLES-12-020310
     stigid@sle15: SLES-15-030370
     stigid@ubuntu2004: UBTU-20-010140
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 8a042f7def..1bec9be61b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -47,7 +47,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -55,9 +55,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030780
     stigid@rhel7: RHEL-07-030780
+    stigid@rhel8: RHEL-08-030320
     stigid@sle12: SLES-12-020320
     stigid@sle15: SLES-15-030060
     stigid@ubuntu2004: UBTU-20-010141
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index fce851d8e4..99e09ab4e3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -43,7 +43,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -51,9 +51,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
     stigid@ol7: OL07-00-030680
     stigid@rhel7: RHEL-07-030680
+    stigid@rhel8: RHEL-08-030190
     stigid@sle12: SLES-12-020250
     stigid@sle15: SLES-15-030550
     stigid@ubuntu2004: UBTU-20-010136
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index 50f72b7d89..aac859c4b1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -44,7 +44,7 @@ references:
     cis@ubuntu2004: 4.1.11
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -52,9 +52,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
     stigid@ol7: OL07-00-030690
     stigid@rhel7: RHEL-07-030690
+    stigid@rhel8: RHEL-08-030550
     stigid@sle12: SLES-12-020260
     stigid@sle15: SLES-15-030560
     stigid@ubuntu2004: UBTU-20-010161
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index 28fda0e782..061b5c28a7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -54,6 +54,7 @@ references:
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030750
     stigid@rhel7: RHEL-07-030750
+    stigid@rhel8: RHEL-08-030301
     stigid@sle12: SLES-12-020300
     stigid@sle15: SLES-15-030360
     stigid@ubuntu2004: UBTU-20-010139
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index f78b1972be..41a6123f5b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -52,9 +52,10 @@ references:
     nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030640
     stigid@rhel7: RHEL-07-030640
+    stigid@rhel8: RHEL-08-030317
     stigid@sle12: SLES-12-020680
     stigid@sle15: SLES-15-030110
     vmmsrg: SRG-OS-000471-VMM-001910
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
index 13bddb000a..de8bab633a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
@@ -40,7 +40,7 @@ references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
@@ -48,9 +48,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030670
     stigid@rhel7: RHEL-07-030670
+    stigid@rhel8: RHEL-08-030315
     vmmsrg: SRG-OS-000471-VMM-001910
 
 ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index b4c8a8f2cb..288d3c3bf2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -39,13 +39,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86027-0
     cce@sle12: CCE-83191-7
     cce@sle15: CCE-85600-5
 
 references:
     disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
     nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
-    srg: SRG-OS-000037-GPOS-00015
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210
+    stigid@rhel8: RHEL-08-030560
     stigid@sle12: SLES-12-020700
     stigid@sle15: SLES-15-030500
     stigid@ubuntu2004: UBTU-20-010176
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
index 6aab91b6d5..6818e5c7b8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
@@ -39,6 +39,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.3.1,3.4.3
+    disa: CCI-000162
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1'
@@ -46,4 +47,5 @@ references:
     nist: AC-6(9),CM-6(a)
     nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4
     pcidss: Req-10.5.2
+    srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
     stigid@rhel8: RHEL-08-030121
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
index 7dd945ae83..298aec87f3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
@@ -38,7 +38,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000135,CCI-002884
+    disa: CCI-000135,CCI-000169,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -46,9 +46,10 @@ references:
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     pcidss: Req-10.2.7
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030740
     stigid@rhel7: RHEL-07-030740
+    stigid@rhel8: RHEL-08-030302
     stigid@sle12: SLES-12-020290
 
 ocil_clause: 'there is no output'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
index 52c7bd2aef..12bca676d8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -47,7 +47,7 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.2,Req-10.2.5.b
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
     stigid@ol7: OL07-00-030700
     stigid@rhel7: RHEL-07-030700
     stigid@rhel8: RHEL-08-030172
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
index a91d14e967..11c8f823c3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -43,7 +43,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+    disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.5
-    srg: SRG-OS-000004-GPOS-00004
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
     stigid@ol7: OL07-00-030871
     stigid@rhel7: RHEL-07-030871
     stigid@rhel8: RHEL-08-030170
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
index 90b98863c1..8ccf265de6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
@@ -43,7 +43,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+    disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.5
-    srg: SRG-OS-000004-GPOS-00004
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
     stigid@ol7: OL07-00-030872
     stigid@rhel7: RHEL-07-030872
     stigid@rhel8: RHEL-08-030160
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
index 05e12170e4..b8e99f216a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -43,7 +43,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+    disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -54,7 +54,7 @@ references:
     nist@sle15: AC-2(4).1(i&ii),AU-12.1(iv)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.5
-    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000463-GPOS-00207,SRG-OS-000476-GPOS-00221
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207
     stigid@ol7: OL07-00-030874
     stigid@rhel7: RHEL-07-030874
     stigid@rhel8: RHEL-08-030140
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
index 88ef5606a7..aae128fee9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -43,7 +43,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+    disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.5
-    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107
     stigid@ol7: OL07-00-030870
     stigid@rhel7: RHEL-07-030870
     stigid@rhel8: RHEL-08-030150
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
index 6d084343c9..d6cede0d34 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -43,7 +43,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
+    disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -53,7 +53,7 @@ references:
     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.5
-    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
     stigid@ol7: OL07-00-030873
     stigid@rhel7: RHEL-07-030873
     stigid@rhel8: RHEL-08-030130
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index f1b2bb78fb..733172861a 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -46,7 +46,7 @@ references:
     nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1)
     nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
     pcidss: Req-10.3
-    srg: SRG-OS-000254-GPOS-00095,SRG-OS-000062-GPOS-00031
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095
     stigid@rhel8: RHEL-08-030601
     stigid@ubuntu2004: UBTU-20-010198
     vmmsrg: SRG-OS-000254-VMM-000880
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index aa22da90c3..261dc1849e 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -35,9 +35,10 @@ identifiers:
     cce@rhel9: CCE-83673-4
 
 references:
+    disa: CCI-000162
     nist: AU-2(a)
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
     stigid@rhel8: RHEL-08-030122
 
 ocil_clause: 'the file does not exist or the content differs'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 3cbb4796ac..469c7dff5e 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -846,7 +846,7 @@ selections:
 
     # RHEL-08-030590
     # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be
-    # implemented as it is the one that configures a different patch for the events of failing locks
+    # implemented as it is the one that configures a different path for the events of failing locks
     # - audit_rules_login_events_faillock
 
     # RHEL-08-030600
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1d54e8ec15..dcb1e675bd 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -74,7 +74,6 @@ CCE-85940-5
 CCE-85941-3
 CCE-85942-1
 CCE-85943-9
-CCE-85944-7
 CCE-85945-4
 CCE-85946-2
 CCE-85947-0
@@ -154,7 +153,6 @@ CCE-86023-9
 CCE-86024-7
 CCE-86025-4
 CCE-86026-2
-CCE-86027-0
 CCE-86028-8
 CCE-86029-6
 CCE-86030-4
@@ -2522,7 +2520,6 @@ CCE-88433-8
 CCE-88434-6
 CCE-88435-3
 CCE-88436-1
-CCE-88437-9
 CCE-88438-7
 CCE-88439-5
 CCE-88440-3
@@ -3515,7 +3512,6 @@ CCE-89442-8
 CCE-89443-6
 CCE-89444-4
 CCE-89445-1
-CCE-89446-9
 CCE-89447-7
 CCE-89448-5
 CCE-89449-3
@@ -3524,7 +3520,6 @@ CCE-89451-9
 CCE-89452-7
 CCE-89453-5
 CCE-89454-3
-CCE-89455-0
 CCE-89456-8
 CCE-89457-6
 CCE-89458-4

From 1e6b51ceb3e8fb9e6406b5f0ba925120e19e719d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 11:44:57 +0200
Subject: [PATCH 12/21] Define template data using product qualifiers instead
 of macros.

---
 .../audit_rules_privileged_commands_ssh_keysign/rule.yml      | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 1bec9be61b..5c39013572 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -75,4 +75,6 @@ ocil: |-
 template:
     name: audit_rules_privileged_commands
     vars:
-        path: {{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign{{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
+        path: /usr/libexec/openssh/ssh-keysign
+        path@sle12: /usr/lib/ssh/ssh-keysign
+        path@sle15: /usr/lib/ssh/ssh-keysign

From f8478dea74e99affff3f3b7b62d91ac509d71a8c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 12:01:18 +0200
Subject: [PATCH 13/21] Add new STIG audit rule
 audit_rules_privileged_commands_unix_update.

---
 .../rule.yml                                  | 53 +++++++++++++++++++
 .../tests/ocp4/e2e.yml                        |  3 ++
 products/rhel8/profiles/stig.profile          |  2 +-
 shared/references/cce-redhat-avail.txt        |  2 -
 4 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
new file mode 100644
index 0000000000..7ef800da19
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_update'
+
+description: |-
+    At a minimum, the audit system should collect the execution of
+    privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+    configured to use the <tt>augenrules</tt> program to read audit rules during
+    daemon startup (the default), add a line of the following form to a file with
+    suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add a line of the following
+    form to <tt>/etc/audit/audit.rules</tt>:
+    <pre>-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+
+rationale: |-
+    Misuse of privileged functions, either intentionally or unintentionally by
+    authorized users, or by unauthorized external entities that have compromised system accounts,
+    is a serious and ongoing concern and can have significant adverse impacts on organizations.
+    Auditing the use of privileged functions is one way to detect such misuse and identify
+    the risk from insider and advanced persistent threats.
+    <br /><br />
+    Privileged programs are subject to escalation-of-privilege attacks,
+    which attempt to subvert their normal role of providing some necessary but
+    limited capability. As such, motivation exists to monitor these programs for
+    unusual activity.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-89480-8
+    cce@rhel9: CCE-89481-6
+
+references:
+    disa: CCI-000169
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
+    stigid@rhel8: RHEL-08-030310
+
+ocil_clause: 'it is not the case'
+
+ocil: |-
+    To verify that auditing of privileged command use is configured, run the
+    following command:
+    <pre>$ sudo grep unix_update /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
+    It should return a relevant line in the audit rules.
+
+template:
+    name: audit_rules_privileged_commands
+    vars:
+        path: /usr/sbin/unix_update
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml
new file mode 100644
index 0000000000..fd9b313e87
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 469c7dff5e..2cece6a130 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -725,7 +725,7 @@ selections:
     - audit_rules_media_export
 
     # RHEL-08-030310
-    # missing rule
+    - audit_rules_privileged_commands_unix_update
 
     # RHEL-08-030311
     - audit_rules_privileged_commands_postdrop
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index dcb1e675bd..ac98344c73 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3544,8 +3544,6 @@ CCE-89476-6
 CCE-89477-4
 CCE-89478-2
 CCE-89479-0
-CCE-89480-8
-CCE-89481-6
 CCE-89482-4
 CCE-89483-2
 CCE-89484-0

From 1216eda0621bedfd60f189bbfd60e79f3b6f5411 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 12:30:11 +0200
Subject: [PATCH 14/21] Add two new rules to cover STIG req based on existing
 rule.

The rule used as basis is audit_rules_sysadmin_actions. This rules is
used by many profiles and it didn't make sense to change its behavior,
so two new rules were created to be used only by RHEL8 STIG.
---
 .../audit_rules_sudoers/ansible/shared.yml    | 39 +++++++++++++++++++
 .../audit_rules_sudoers/bash/shared.sh        |  8 ++++
 .../audit_rules_sudoers/oval/shared.xml       | 34 ++++++++++++++++
 .../audit_rules_sudoers/rule.yml              | 39 +++++++++++++++++++
 .../audit_rules_sudoers/tests/correct.pass.sh |  3 ++
 .../audit_rules_sudoers/tests/empty.fail.sh   |  4 ++
 .../tests/wrong_value.fail.sh                 |  4 ++
 .../audit_rules_sudoers_d/ansible/shared.yml  | 39 +++++++++++++++++++
 .../audit_rules_sudoers_d/bash/shared.sh      |  8 ++++
 .../audit_rules_sudoers_d/oval/shared.xml     | 34 ++++++++++++++++
 .../audit_rules_sudoers_d/rule.yml            | 39 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  3 ++
 .../audit_rules_sudoers_d/tests/empty.fail.sh |  4 ++
 .../tests/missing_slash.fail.sh               |  4 ++
 products/rhel8/profiles/stig.profile          |  5 +--
 shared/references/cce-redhat-avail.txt        |  4 --
 16 files changed, 264 insertions(+), 7 deletions(-)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
new file mode 100644
index 0000000000..12324a9f76
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml
@@ -0,0 +1,39 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Inserts/replaces the rule in /etc/audit/rules.d
+
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: '^.*/etc/sudoers\s.*$'
+    patterns: "*.rules"
+  register: find_audit_sysadmin_actions
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - /etc/audit/rules.d/actions.rules
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
+
+- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d
+  lineinfile:
+    path: "{{ all_sysadmin_actions_files[0] }}"
+    line: '-w /etc/sudoers -p wa -k actions'
+    create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /etc/sudoers -p wa -k actions'
+    create: yes
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
new file mode 100644
index 0000000000..a1392449b0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
+fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
new file mode 100644
index 0000000000..96d1a91c1e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_sudoers" version="1">
+    {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules sudoers" test_ref="test_audit_rules_sudoers_augenrules" />
+      </criteria>
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl sudoers" test_ref="test_audit_rules_sudoers_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sudoers_augenrules" version="1">
+    <ind:object object_ref="object_audit_rules_sudoers_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sudoers_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sudoers_auditctl" version="1">
+    <ind:object object_ref="object_audit_rules_sudoers_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sudoers_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
new file mode 100644
index 0000000000..f39bfa7e72
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers'
+
+description: |-
+    At a minimum, the audit system should collect administrator actions
+    for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
+    add the following line to a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/sudoers -p wa -k actions</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/sudoers -p wa -k actions</pre>
+
+rationale: |-
+    The actions taken by system administrators should be audited to keep a record
+    of what was executed on the system, as well as, for accountability purposes.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-90175-1
+    cce@rhel9: CCE-90176-9
+
+references:
+    disa: CCI-000169
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
+    stigid@rhel8: RHEL-08-030171
+
+ocil_clause: 'there is not output'
+
+ocil: |-
+    To verify that auditing is configured for system administrator actions, run the following command:
+    <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers\|-w /etc/sudoers\"</pre>
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
new file mode 100644
index 0000000000..27ff10cb23
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
new file mode 100644
index 0000000000..2776dabaa1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /etc/audit/rules.d/
+mkdir -p /etc/audit/rules.d/
+touch /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..3d30475363
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudo -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
new file mode 100644
index 0000000000..89e028ac2d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml
@@ -0,0 +1,39 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Inserts/replaces the rule in /etc/audit/rules.d
+
+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: '^.*/etc/sudoers\.d/\s.*$'
+    patterns: "*.rules"
+  register: find_audit_sysadmin_actions
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - /etc/audit/rules.d/actions.rules
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_sysadmin_actions_files:
+      - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}"
+  when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d/ rule in rules.d
+  lineinfile:
+    path: "{{ all_sysadmin_actions_files[0] }}"
+    line: '-w /etc/sudoers.d/ -p wa -k actions'
+    create: yes
+
+- name: Inserts/replaces audit rule for /etc/sudoers.d/ in audit.rules
+  lineinfile:
+    path: /etc/audit/audit.rules
+    line: '-w /etc/sudoers.d/ -p wa -k actions'
+    create: yes
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
new file mode 100644
index 0000000000..9a6292d21d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions"
+fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
new file mode 100644
index 0000000000..c171851647
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_sudoers_d" version="1">
+    {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules sudoers_d" test_ref="test_audit_rules_sudoers_d_augenrules" />
+      </criteria>
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit auditctl sudoers_d" test_ref="test_audit_rules_sudoers_d_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="test_audit_rules_sudoers_d_augenrules" version="1">
+    <ind:object object_ref="object_audit_rules_sudoers_d_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sudoers_d_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="test_audit_rules_sudoers_d_auditctl" version="1">
+    <ind:object object_ref="object_audit_rules_sudoers_d_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_sudoers_d_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
new file mode 100644
index 0000000000..d4a35a7996
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel8,rhel9
+
+title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/'
+
+description: |-
+    At a minimum, the audit system should collect administrator actions
+    for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
+    add the following line to a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/sudoers.d/ -p wa -k actions</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/sudoers.d/ -p wa -k actions</pre>
+
+rationale: |-
+    The actions taken by system administrators should be audited to keep a record
+    of what was executed on the system, as well as, for accountability purposes.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-89497-2
+    cce@rhel9: CCE-89498-0
+
+references:
+    disa: CCI-000169
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
+    stigid@rhel8: RHEL-08-030172
+
+ocil_clause: 'there is not output'
+
+ocil: |-
+    To verify that auditing is configured for system administrator actions, run the following command:
+    <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers.d\|-w /etc/sudoers.d"</pre>
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
new file mode 100644
index 0000000000..a1259a6e66
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
new file mode 100644
index 0000000000..2776dabaa1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /etc/audit/rules.d/
+mkdir -p /etc/audit/rules.d/
+touch /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh
new file mode 100644
index 0000000000..dd96b1ec10
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /etc/audit/rules.d/
+echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 2cece6a130..965068a691 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -673,11 +673,10 @@ selections:
     - audit_rules_usergroup_modification_group
 
     # RHEL-08-030171
-    # should be split
-    # - audit_rules_sysadmin_actions
+    - audit_rules_sudoers
 
     # RHEL-08-030172
-    - audit_rules_sysadmin_actions
+    - audit_rules_sudoers_d
 
     # RHEL-08-030180
     - package_audit_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ac98344c73..001262c6ee 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -3559,8 +3559,6 @@ CCE-89493-1
 CCE-89494-9
 CCE-89495-6
 CCE-89496-4
-CCE-89497-2
-CCE-89498-0
 CCE-89499-8
 CCE-89500-3
 CCE-89501-1
@@ -4228,8 +4226,6 @@ CCE-90170-2
 CCE-90172-8
 CCE-90173-6
 CCE-90174-4
-CCE-90175-1
-CCE-90176-9
 CCE-90177-7
 CCE-90178-5
 CCE-90179-3

From 2db69d93f8616c9d39897a44994ccdfc30fafb65 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 3 Aug 2021 16:15:14 +0200
Subject: [PATCH 15/21] Update RHEL8 STIG profiles stability test data.

---
 .../data/profile_stability/rhel8/stig.profile | 64 +++++++++++++++++++
 .../profile_stability/rhel8/stig_gui.profile  | 64 +++++++++++++++++++
 2 files changed, 128 insertions(+)

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index fcae79f6d8..d7e2f71376 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -66,7 +66,71 @@ selections:
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
+- audit_immutable_login_uids
+- audit_rules_dac_modification_chmod
+- audit_rules_dac_modification_chown
+- audit_rules_dac_modification_fchmod
+- audit_rules_dac_modification_fchmodat
+- audit_rules_dac_modification_fchown
+- audit_rules_dac_modification_fchownat
+- audit_rules_dac_modification_fremovexattr
+- audit_rules_dac_modification_fsetxattr
+- audit_rules_dac_modification_lchown
+- audit_rules_dac_modification_lremovexattr
+- audit_rules_dac_modification_lsetxattr
+- audit_rules_dac_modification_removexattr
+- audit_rules_dac_modification_setxattr
+- audit_rules_execution_chacl
+- audit_rules_execution_chcon
+- audit_rules_execution_semanage
+- audit_rules_execution_setfacl
+- audit_rules_execution_setfiles
+- audit_rules_execution_setsebool
+- audit_rules_file_deletion_events_rename
+- audit_rules_file_deletion_events_renameat
+- audit_rules_file_deletion_events_rmdir
+- audit_rules_file_deletion_events_unlink
+- audit_rules_file_deletion_events_unlinkat
+- audit_rules_immutable
+- audit_rules_kernel_module_loading_delete
+- audit_rules_kernel_module_loading_finit
+- audit_rules_kernel_module_loading_init
+- audit_rules_login_events_lastlog
+- audit_rules_media_export
+- audit_rules_privileged_commands_chage
+- audit_rules_privileged_commands_chsh
+- audit_rules_privileged_commands_crontab
+- audit_rules_privileged_commands_gpasswd
+- audit_rules_privileged_commands_kmod
+- audit_rules_privileged_commands_mount
+- audit_rules_privileged_commands_newgrp
+- audit_rules_privileged_commands_pam_timestamp_check
+- audit_rules_privileged_commands_passwd
+- audit_rules_privileged_commands_postdrop
+- audit_rules_privileged_commands_postqueue
+- audit_rules_privileged_commands_ssh_agent
+- audit_rules_privileged_commands_ssh_keysign
+- audit_rules_privileged_commands_su
+- audit_rules_privileged_commands_sudo
+- audit_rules_privileged_commands_umount
+- audit_rules_privileged_commands_unix_chkpwd
+- audit_rules_privileged_commands_unix_update
+- audit_rules_privileged_commands_userhelper
+- audit_rules_privileged_commands_usermod
+- audit_rules_sudoers
+- audit_rules_sudoers_d
 - audit_rules_suid_privilege_function
+- audit_rules_unsuccessful_file_modification_creat
+- audit_rules_unsuccessful_file_modification_ftruncate
+- audit_rules_unsuccessful_file_modification_open
+- audit_rules_unsuccessful_file_modification_open_by_handle_at
+- audit_rules_unsuccessful_file_modification_openat
+- audit_rules_unsuccessful_file_modification_truncate
+- audit_rules_usergroup_modification_group
+- audit_rules_usergroup_modification_gshadow
+- audit_rules_usergroup_modification_opasswd
+- audit_rules_usergroup_modification_passwd
+- audit_rules_usergroup_modification_shadow
 - auditd_audispd_configure_sufficiently_large_partition
 - auditd_data_disk_error_action
 - auditd_data_disk_full_action
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2bbd1881f5..7c95e31545 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -77,7 +77,71 @@ selections:
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
+- audit_immutable_login_uids
+- audit_rules_dac_modification_chmod
+- audit_rules_dac_modification_chown
+- audit_rules_dac_modification_fchmod
+- audit_rules_dac_modification_fchmodat
+- audit_rules_dac_modification_fchown
+- audit_rules_dac_modification_fchownat
+- audit_rules_dac_modification_fremovexattr
+- audit_rules_dac_modification_fsetxattr
+- audit_rules_dac_modification_lchown
+- audit_rules_dac_modification_lremovexattr
+- audit_rules_dac_modification_lsetxattr
+- audit_rules_dac_modification_removexattr
+- audit_rules_dac_modification_setxattr
+- audit_rules_execution_chacl
+- audit_rules_execution_chcon
+- audit_rules_execution_semanage
+- audit_rules_execution_setfacl
+- audit_rules_execution_setfiles
+- audit_rules_execution_setsebool
+- audit_rules_file_deletion_events_rename
+- audit_rules_file_deletion_events_renameat
+- audit_rules_file_deletion_events_rmdir
+- audit_rules_file_deletion_events_unlink
+- audit_rules_file_deletion_events_unlinkat
+- audit_rules_immutable
+- audit_rules_kernel_module_loading_delete
+- audit_rules_kernel_module_loading_finit
+- audit_rules_kernel_module_loading_init
+- audit_rules_login_events_lastlog
+- audit_rules_media_export
+- audit_rules_privileged_commands_chage
+- audit_rules_privileged_commands_chsh
+- audit_rules_privileged_commands_crontab
+- audit_rules_privileged_commands_gpasswd
+- audit_rules_privileged_commands_kmod
+- audit_rules_privileged_commands_mount
+- audit_rules_privileged_commands_newgrp
+- audit_rules_privileged_commands_pam_timestamp_check
+- audit_rules_privileged_commands_passwd
+- audit_rules_privileged_commands_postdrop
+- audit_rules_privileged_commands_postqueue
+- audit_rules_privileged_commands_ssh_agent
+- audit_rules_privileged_commands_ssh_keysign
+- audit_rules_privileged_commands_su
+- audit_rules_privileged_commands_sudo
+- audit_rules_privileged_commands_umount
+- audit_rules_privileged_commands_unix_chkpwd
+- audit_rules_privileged_commands_unix_update
+- audit_rules_privileged_commands_userhelper
+- audit_rules_privileged_commands_usermod
+- audit_rules_sudoers
+- audit_rules_sudoers_d
 - audit_rules_suid_privilege_function
+- audit_rules_unsuccessful_file_modification_creat
+- audit_rules_unsuccessful_file_modification_ftruncate
+- audit_rules_unsuccessful_file_modification_open
+- audit_rules_unsuccessful_file_modification_open_by_handle_at
+- audit_rules_unsuccessful_file_modification_openat
+- audit_rules_unsuccessful_file_modification_truncate
+- audit_rules_usergroup_modification_group
+- audit_rules_usergroup_modification_gshadow
+- audit_rules_usergroup_modification_opasswd
+- audit_rules_usergroup_modification_passwd
+- audit_rules_usergroup_modification_shadow
 - auditd_audispd_configure_sufficiently_large_partition
 - auditd_data_disk_error_action
 - auditd_data_disk_full_action

From 67d07b479750430ce78aa6f5b9326901ec4bc532 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 14:32:46 +0200
Subject: [PATCH 16/21] Fix RHEL8 STIG id of
 audit_rules_privileged_commands_passwd.

---
 .../audit_rules_privileged_commands_passwd/rule.yml             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 06b5cfc4ae..60660a1314 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -54,7 +54,7 @@ references:
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
     stigid@ol7: OL07-00-030630
     stigid@rhel7: RHEL-07-030630
-    stigid@rhel8: RHEL-08-030280
+    stigid@rhel8: RHEL-08-030290
     stigid@sle12: SLES-12-020550
     stigid@sle15: SLES-15-030070
     stigid@ubuntu2004: UBTU-20-010172

From 9e11cb68aa68ec7d8dde7a9f5d9298bd3c74f9cb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:49:08 +0200
Subject: [PATCH 17/21] Update audit rules description with regards to -F
 perm=x parameter.

---
 .../audit_rules_execution_chacl/rule.yml      |  6 ++---
 .../audit_rules_execution_setfacl/rule.yml    |  6 ++---
 .../audit_rules_execution_chcon/rule.yml      | 22 ++++++-------------
 .../audit_rules_execution_semanage/rule.yml   | 10 ++++++---
 .../audit_rules_execution_setfiles/rule.yml   | 10 ++++++---
 .../audit_rules_execution_setsebool/rule.yml  | 10 ++++++---
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  | 15 ++++++++++---
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  | 17 +++++++++-----
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  | 18 ++++++++++-----
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  |  8 +++++--
 .../rule.yml                                  | 13 +----------
 .../ansible.template                          |  2 +-
 .../bash.template                             |  2 +-
 .../oval.template                             |  2 +-
 27 files changed, 157 insertions(+), 88 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
index 0c71e4ac24..735817e4f0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml
@@ -42,10 +42,10 @@ references:
 
 ocil: |-
     To verify that execution of the command is being audited, run the following command:
-    Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command.
+    Configure the operating system to generate an audit record for all uses of the "chacl" command.
     Add or update the following rules in the "/etc/audit/audit.rules" file:
-    -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-    -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
+    -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
+    -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
     The audit daemon must be restarted for the changes to take effect.
     # sudo systemctl restart auditd.service
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
index 89c134a0fa..341790d7dd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml
@@ -42,10 +42,10 @@ references:
 
 ocil: |-
     To verify that execution of the command is being audited, run the following command:
-    Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command.
+    Configure the operating system to generate an audit record for all uses of the "setfacl" command.
     Add or update the following rules in the "/etc/audit/audit.rules" file:
-    -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-    -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
+    -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
+    -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged
     The audit daemon must be restarted for the changes to take effect.
     # sudo systemctl restart auditd.service
     <pre>$ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
index 0c6781c7d5..4a5f43376a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,19 +14,11 @@ description: |-
     daemon is configured to use the <tt>augenrules</tt> program to read audit rules
     during daemon startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    {{% if product in ["sle12", "sle15"] %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% else %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% endif %}}
+    <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    {{% if product in ["sle12", "sle15"] %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% else %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% endif %}}
+    <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -73,11 +69,7 @@ ocil: |-
     To verify that execution of the command is being audited, run the following command:
     <pre>$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
     The output should return something similar to:
-    {{% if product in ["sle12", "sle15"] %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% else %}}
-    <pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% endif %}}
+    <pre>-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 template:
     name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
index b609c3dfc2..a945ce16f8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     daemon is configured to use the <tt>augenrules</tt> program to read audit rules
     during daemon startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -59,7 +63,7 @@ ocil: |-
     To verify that execution of the command is being audited, run the following command:
     <pre>$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
     The output should return something similar to:
-    <pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 template:
     name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
index 9de7407f4c..6db7d1daca 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
@@ -10,11 +14,11 @@ description: |-
     daemon is configured to use the <tt>augenrules</tt> program to read audit rules
     during daemon startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -49,7 +53,7 @@ ocil: |-
     To verify that execution of the command is being audited, run the following command:
     <pre>$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
     The output should return something similar to:
-    <pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 template:
     name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
index 23504bab4a..c357c48fe6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     daemon is configured to use the <tt>augenrules</tt> program to read audit rules
     during daemon startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -58,7 +62,7 @@ ocil: |-
     To verify that execution of the command is being audited, run the following command:
     <pre>$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>
     The output should return something similar to:
-    <pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 template:
     name: audit_rules_privileged_commands
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
index 474910c4c8..b5a9e29d2e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
index 3ca968a543..8cc2b236a9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index 7c5058c7f8..86633fb606 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
index 0c7bf84268..ac5bfb2cc5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index 851dd5aa3d..b469e42bbb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -1,3 +1,11 @@
+{{%- if product in ["rhel8"] %}}
+    {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}}
+{{%- elif product in ["ubuntu2004"] %}}
+    {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}}
+{{%- else %}}
+    {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: rhel8,sle12,sle15,ubuntu2004
@@ -10,11 +18,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-w /usr/bin/kmod -p x -k modules</pre>
+    <pre>{{{ kmod_audit }}}</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-w /usr/bin/kmod -p x -k modules</pre>
+    <pre>{{{ kmod_audit }}}</pre>
 
 rationale: |-
     Without generating audit records that are specific to the security and
@@ -48,7 +56,7 @@ ocil: |-
     following command:
 
     <pre># sudo grep kmod /etc/audit/audit.rules
-    -w /usr/bin/kmod -p x -k modules</pre>
+    {{{ kmod_audit }}}</pre>
 
     If the system is configured to audit the execution of the module management
     program "kmod", the command will return a line. If the command does not
@@ -60,3 +68,4 @@ template:
     name: audit_rules_privileged_commands
     vars:
         path: /usr/bin/kmod
+        path@ubuntu2004: /bin/kmod
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
index cc423c4146..56bd72b670 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
index edbb41f3d8..4c14ea509c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index f5a3a4be02..c34eeb54c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -1,8 +1,7 @@
-documentation_complete: true
 
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
-
-title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check'
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
 
 {{% if product in ["sle12", "sle15"] %}}
 {{% set pam_bin_path = "/sbin/pam_timestamp_check" %}}
@@ -10,6 +9,12 @@ title: 'Ensure auditd Collects Information on the Use of Privileged Commands - p
 {{% set pam_bin_path = "/usr/sbin/pam_timestamp_check" %}}
 {{% endif %}}
 
+documentation_complete: true
+
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+
+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check'
+
 description: |-
     At a minimum, the audit system should collect the execution of
     privileged commands for all users and root. If the <tt>auditd</tt> daemon is
@@ -17,12 +22,12 @@ description: |-
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F path={{{ pam_bin_path }}}
-    -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
     <pre>-a always,exit -F path={{{ pam_bin_path }}}
-    -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
index 60660a1314..2af86f5042 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
index 8f90c9c211..9509216e8f 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
index e913e83a0b..c5d1a82cc7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
index 5c39013572..604cbcda85 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
@@ -1,3 +1,13 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
+{{%- if product in ["sle12", "sle15"] %}}
+  {{%- set ssh_keysign_path="/usr/lib/ssh/ssh-keysign" %}}
+{{%- else %}}
+  {{%- set ssh_keysign_path="/usr/libexec/openssh/ssh-keysign" %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,15 +20,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} -F auid&gt;={{{ auid }}} 
-    -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
-    -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index 99e09ab4e3..87a81ee0c4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/su -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/su -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index aac859c4b1..e989091836 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index 061b5c28a7..5d47508bb9 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index 41a6123f5b..5be7f486c6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
index de8bab633a..6dccc80692 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
@@ -1,3 +1,7 @@
+{{%- if product in ["rhel8", "rhel9"] %}}
+  {{%- set perm_x="-F perm=x " %}}
+{{%- endif %}}
+
 documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
@@ -10,11 +14,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
index 288d3c3bf2..7089016151 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml
@@ -10,19 +10,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    {{% if 'ubuntu' in product %}}
     <pre>-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% else %}}
-    <pre>-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    {{% if 'ubuntu' in product %}}
     <pre>-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% else %}}
-    <pre>-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-    {{% endif %}}
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -63,7 +55,4 @@ ocil: |-
 template:
     name: audit_rules_privileged_commands
     vars:
-        path: /usr/bin/usermod
-        path@ubuntu1604: /usr/sbin/usermod
-        path@ubuntu1804: /usr/sbin/usermod
-        path@ubuntu2004: /usr/sbin/usermod
+        path: /usr/sbin/usermod
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
index a245de6673..06154e10ce 100644
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 2b3795674f..d03a92061c 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index 8e3919ca66..c3d396e2ff 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -1,4 +1,4 @@
-{{%- if product in ["rhel8", "sle12", "sle15"] %}}
+{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}}
   {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
 {{%- endif %}}
 <def-group>

From fd801e1fd36a0e6724c043de2dbc75567738edfa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:57:08 +0200
Subject: [PATCH 18/21] Update SRG mapping of chronyd_or_ntpd_set_maxpoll.

---
 .../guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 4827cf1359..854e8e8048 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -90,7 +90,7 @@ references:
     nist: CM-6(a),AU-8(1)(b)
     nist-csf: PR.PT-1
     nist@sle12: AU-8(1)(a),AU-8(1)(b)
-    srg: 'SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144'
+    srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
     stigid@ol7: OL07-00-040500
     stigid@rhel7: RHEL-07-040500
     stigid@rhel8: RHEL-08-030740

From 4a79ec12860e768e650bb7fd0962334d1c70223a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Aug 2021 15:58:47 +0200
Subject: [PATCH 19/21] Remove SUSE keyword verbiage from rules.

---
 .../accounts/accounts-restrictions/account_unique_id/rule.yml | 4 ++--
 .../audit_rules_login_events_faillog/rule.yml                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
index e55901dbdc..5cfdf48dba 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -32,8 +32,8 @@ ocil_clause: 'a line is returned'
 
 ocil: |-
     Run the following command to check for duplicate account names:
-    Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command:
+    Check that the operating system contains no duplicate UIDs for interactive users by running the following command:
     <pre># awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd</pre>
     If output is produced, this is a finding.
-    Configure the SUSE operating system to contain no duplicate UIDs for interactive users.
+    Configure the operating system to contain no duplicate UIDs for interactive users.
     Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
index 7a6d748ffe..97d6874e98 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
@@ -39,7 +39,7 @@ ocil_clause: 'there is no output'
 
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
-    Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur.
+    Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur.
     Add or update the following rules in the "/etc/audit/audit.rules" file:
     -w /var/log/faillog -p wa -k logins
     The audit daemon must be restarted for the changes to take effect.

From 9122c246c124e26e1e059455ff66b9efa6601eeb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 5 Aug 2021 14:39:13 +0200
Subject: [PATCH 20/21] Enable check_root_user for RHEL9 in audit rules dac.

---
 .../audit_rules_dac_modification_fremovexattr/rule.yml   | 9 +++++----
 .../audit_rules_dac_modification_fsetxattr/rule.yml      | 9 +++++----
 .../audit_rules_dac_modification_lremovexattr/rule.yml   | 1 +
 .../audit_rules_dac_modification_lsetxattr/rule.yml      | 9 +++++----
 .../audit_rules_dac_modification_removexattr/rule.yml    | 9 +++++----
 .../audit_rules_dac_modification_setxattr/rule.yml       | 9 +++++----
 6 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index d46968da8f..5bd1b25eaf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -11,13 +11,13 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
@@ -25,13 +25,13 @@ description: |-
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
 
@@ -92,3 +92,4 @@ template:
     vars:
         attr: fremovexattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 564daccaed..410dd8a5ef 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
 
@@ -87,3 +87,4 @@ template:
     vars:
         attr: fsetxattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index 2ae0f11c58..947c768efd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -92,3 +92,4 @@ template:
     vars:
         attr: lremovexattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
index 945ad560d7..ed1fd3715d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
 
@@ -85,3 +85,4 @@ template:
     vars:
         attr: lsetxattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index e6d7374b7f..61e69432d1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -10,13 +10,13 @@ description: |-
     program to read audit rules during daemon startup (the default), add the
     following line to a file with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
@@ -24,13 +24,13 @@ description: |-
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     <br /><br />
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
 
@@ -91,3 +91,4 @@ template:
     vars:
         attr: removexattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index ab15167508..12489a74a0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -9,24 +9,24 @@ description: |-
     startup (the default), add the following line to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
     If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;={{{ auid }}} -F auid!=unset -F key=perm_mod</pre>
-{{%- if product in ["rhel8"] %}}
+{{%- if product in ["rhel8", "rhel9"] %}}
     <pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
 {{%- endif %}}
 
@@ -87,3 +87,4 @@ template:
     vars:
         attr: setxattr
         check_root_user@rhel8: "true"
+        check_root_user@rhel9: "true"

From 88e9061888f7fb5824e7e2c52e83edad6b432615 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 5 Aug 2021 15:53:17 +0200
Subject: [PATCH 21/21] Fix check and remediations of auditd_overflow_action.

The check was generating a new input to the auditd.conf file and without
spaces between the separator (equal sign). This caused auditd failing to
start since it's mandatory to have a space between the separator. It
also introduces case insensitivity for the check since the paramaters
and values are case insensitive.
---
 .../auditd_overflow_action/ansible/shared.yml               | 6 +++---
 .../auditd_overflow_action/bash/shared.sh                   | 5 +++--
 .../auditd_overflow_action/oval/shared.xml                  | 6 +++---
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
index 4f88ed361d..166054a95a 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
@@ -3,6 +3,6 @@
 {{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
                   parameter="overflow_action",
                   value="syslog",
-                  separator="=",
-                  separator_regex="=",
-                  prefix_regex="^\s*") }}}
+                  separator=" = ",
+                  separator_regex="\s*=\s*",
+                  prefix_regex="(?i)^\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
index 539b9b6582..b397c811d1 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
@@ -7,6 +7,7 @@
 {{{set_config_file(path="/etc/audit/auditd.conf",
                   parameter="overflow_action",
                   value="syslog",
-                  separator="=",
-                  separator_regex="=",
+                  insensitive=true,
+                  separator=" = ",
+                  separator_regex="\s*=\s*",
                   prefix_regex="^\s*")}}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
index fd45280e4e..880d01bf72 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
@@ -1,6 +1,6 @@
 {{{ oval_check_config_file(
     path="/etc/audit/auditd.conf",
-    prefix_regex="^(?:.*\\n)*\s*",
+    prefix_regex="^[ \\t]*(?i)",
     parameter="overflow_action",
-    value="syslog|single|halt",
-    separator_regex="\s*=\s*") }}}
+    value="(?i)(syslog|single|halt)(?-i)",
+    separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}