From 973b04979f25b8681652f31e096ad6a32f1cb9e8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 04 2020 00:59:14 +0000 Subject: import scap-security-guide-0.1.50-16.el8_3 --- diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch new file mode 100644 index 0000000..d7fab70 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch @@ -0,0 +1,737 @@ +From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 22:27:47 +0200 +Subject: [PATCH 1/5] Add check for zipl installed + +Based and valid in RHEL, where zipl is part of s390utils-base. +--- + rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++ + .../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 3 files changed, 42 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index 694cbb5a4e..cccb3c5791 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -67,4 +67,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml +new file mode 100644 +index 0000000000..ab6545669d +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_zipl_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ System uses zIPL ++ ++ multi_platform_all ++ ++ Checks if system uses zIPL bootloader. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ s390utils-base ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ s390utils-base ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index fb20fe8107..f03aa87f09 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -506,6 +506,7 @@ + "sssd": "cpe:/a:sssd", + "systemd": "cpe:/a:systemd", + "yum": "cpe:/a:yum", ++ "zipl": "cpe:/a:zipl", + } + + # _version_name_map = { + +From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 22:33:07 +0200 +Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content + +Add zipl platform to bootloader-zipl and machine platform to all zipl +rules. +Final applicability of zipl rules is equivalent to "machine and zipl" +CPE platform. +--- + linux_os/guide/system/bootloader-zipl/group.yml | 2 +- + .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++ + .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++ + .../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++ + .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++ + 8 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +index 36da84530c..64c6c8dffb 100644 +--- a/linux_os/guide/system/bootloader-zipl/group.yml ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -8,4 +8,4 @@ description: |- + options to it. + The default {{{ full_name }}} boot loader for s390x systems is called zIPL. + +-platform: machine ++platform: zipl +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 16c0b3f89a..2d31ef8ee7 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -38,3 +38,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 47a532d50f..40db232257 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +index 5aa91c16aa..8d28d5495f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -35,3 +35,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 8546325752..0a8e9a41e2 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index eaef25ce40..20c1448cc8 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -38,3 +38,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 68e91a92d6..54ac688ea0 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 9624b43349..c5979a2016 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -36,3 +36,5 @@ ocil: |- + and /etc/zipl.conf: + 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine + +From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 23:02:44 +0200 +Subject: [PATCH 3/5] Add check for grub2 installed + +Apply new CPE grub2 to bootloader-grub2 group. +--- + .../file_groupowner_efi_grub2_cfg/rule.yml | 2 + + .../file_groupowner_grub2_cfg/rule.yml | 2 + + .../file_owner_efi_grub2_cfg/rule.yml | 2 + + .../file_owner_grub2_cfg/rule.yml | 2 + + .../guide/system/bootloader-grub2/group.yml | 2 +- + .../grub2_admin_username/rule.yml | 2 + + .../grub2_enable_iommu_force/rule.yml | 2 + + .../grub2_no_removeable_media/rule.yml | 2 + + .../bootloader-grub2/grub2_password/rule.yml | 2 + + .../grub2_uefi_admin_username/rule.yml | 2 + + .../grub2_uefi_password/rule.yml | 2 + + .../uefi_no_removeable_media/rule.yml | 2 + + .../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 14 files changed, 61 insertions(+), 1 deletion(-) + create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml + +diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml +index b5b583bd28..a6ac6f7b6b 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml +@@ -51,6 +51,8 @@ ocil: |- + {{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}} + {{%- endif %}} + ++platform: machine ++ + template: + name: file_groupowner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +index 9d89ff5755..93dbf5222d 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou + + ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}' + ++platform: machine ++ + template: + name: file_groupowner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml +index ed17987478..e2c118cf0a 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml +@@ -49,6 +49,8 @@ ocil: |- + {{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}} + {{%- endif %}} + ++platform: machine ++ + template: + name: file_owner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +index 9ce4c3d60b..5086553921 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo + + ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}' + ++platform: machine ++ + template: + name: file_owner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml +index 69489bc0c2..4ffb40c0e8 100644 +--- a/linux_os/guide/system/bootloader-grub2/group.yml ++++ b/linux_os/guide/system/bootloader-grub2/group.yml +@@ -15,4 +15,4 @@ description: |- + with a password and ensure its configuration file's permissions + are set properly. + +-platform: machine ++platform: grub2 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +index 63a6a7a83c..15db01a75f 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +@@ -68,3 +68,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +index baade9c13e..d4f455e66a 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +@@ -17,3 +17,5 @@ identifiers: + + references: + anssi: NT28(R11) ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +index 113726d34f..c8956c2f34 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +@@ -37,3 +37,5 @@ ocil: |- + usb0, cd, fd0, etc. are some examples of removeable + media which should not exist in the line: + 
set root='hd0,msdos1'
++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +index 985b8727d7..b6e9774608 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +@@ -72,3 +72,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +index 1926837db7..5abd86b9d9 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +@@ -75,3 +75,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +index 3ce5a2df13..3114d2d27c 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +@@ -73,3 +73,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +index c94185f3f4..5de05c057a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +@@ -35,3 +35,5 @@ ocil: |- + usb0, cd, fd0, etc. are some examples of removeable + media which should not exist in the line: + 
set root='hd0,msdos1'
++ ++platform: machine +diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml +new file mode 100644 +index 0000000000..e83f45bc3b +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_grub2_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ Package grub2 is installed ++ ++ multi_platform_all ++ ++ Checks if package grub2-pc is installed. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ grub2-pc ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ grub2-pc ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index f03aa87f09..318763b219 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -498,6 +498,7 @@ + "container": "cpe:/a:container", + "chrony": "cpe:/a:chrony", + "gdm": "cpe:/a:gdm", ++ "grub2": "cpe:/a:grub2", + "libuser": "cpe:/a:libuser", + "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", + "ntp": "cpe:/a:ntp", + +From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 16:58:14 +0200 +Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform + +It should have both platforms machine and grub2. +But as the parent group is very broad, I cannot put parent group as +machine. + +As a side effect this change makes this rules applicable in containers. +--- + .../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +index 3080470aa8..44ea1aa49a 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +@@ -48,4 +48,4 @@ ocil: |- + Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates + that interactive boot is enabled at boot time. + +-platform: machine ++platform: grub2 + +From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 23:20:18 +0200 +Subject: [PATCH 5/5] Update CPE Dictionaries + +Again, whenever a package CPE is added, all CPE dictionaries need to be +updated. +Because the project doesn't share CPEs among the products. +--- + debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++ + debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++ + debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++ + fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++ + ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++ + ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++ + opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++ + rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++ + rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++ + rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++ + sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++ + sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++ + sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++ + ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++ + ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++ + ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++ + wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++ + wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++ + 18 files changed, 90 insertions(+) + +diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml +index 5cc27ceb79..f2dbd09cfc 100644 +--- a/debian10/cpe/debian10-cpe-dictionary.xml ++++ b/debian10/cpe/debian10-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml +index 38d490138a..f385709052 100644 +--- a/debian8/cpe/debian8-cpe-dictionary.xml ++++ b/debian8/cpe/debian8-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml +index f01770b044..bc90a12bae 100644 +--- a/debian9/cpe/debian9-cpe-dictionary.xml ++++ b/debian9/cpe/debian9-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml +index 2964e320c2..ff7cebc322 100644 +--- a/fedora/cpe/fedora-cpe-dictionary.xml ++++ b/fedora/cpe/fedora-cpe-dictionary.xml +@@ -62,6 +62,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml +index c153272121..613f853a6d 100644 +--- a/ol7/cpe/ol7-cpe-dictionary.xml ++++ b/ol7/cpe/ol7-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml +index 3fd74e53ca..912fe01346 100644 +--- a/ol8/cpe/ol8-cpe-dictionary.xml ++++ b/ol8/cpe/ol8-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml +index 1ab4e85ea8..7f485b800e 100644 +--- a/opensuse/cpe/opensuse-cpe-dictionary.xml ++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml +@@ -42,6 +42,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index a5214e36f0..f232b7ed29 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -57,6 +57,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index cccb3c5791..eab827291f 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml +index ce9b06dcae..db1b4b239b 100644 +--- a/rhv4/cpe/rhv4-cpe-dictionary.xml ++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml +index c732ecb48a..1b6b3e2518 100644 +--- a/sle11/cpe/sle11-cpe-dictionary.xml ++++ b/sle11/cpe/sle11-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml +index 79daa31412..b1b66e1294 100644 +--- a/sle12/cpe/sle12-cpe-dictionary.xml ++++ b/sle12/cpe/sle12-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml +index 91d3d78b19..0ee5a1b817 100644 +--- a/sle15/cpe/sle15-cpe-dictionary.xml ++++ b/sle15/cpe/sle15-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +index df5abff723..7f3ce4271b 100644 +--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml ++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +index 6269344376..83f0c8c516 100644 +--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml ++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +index ccb285768e..77b78d74ec 100644 +--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml ++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +index 73e419c9ab..cc4e806a4d 100644 +--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml ++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +@@ -26,6 +26,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +index 8449ea1416..824c575a6a 100644 +--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml ++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +@@ -26,6 +26,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch new file mode 100644 index 0000000..084c528 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch @@ -0,0 +1,595 @@ +From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 25 May 2020 14:33:06 +0200 +Subject: [PATCH 1/5] Add zIPL bootloader group + +--- + linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +new file mode 100644 +index 0000000000..36da84530c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -0,0 +1,11 @@ ++documentation_complete: true ++ ++title: 'zIPL bootloader configuration' ++ ++description: |- ++ During the boot process, the bootloader is ++ responsible for starting the execution of the kernel and passing ++ options to it. ++ The default {{{ full_name }}} boot loader for s390x systems is called zIPL. ++ ++platform: machine + +From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 25 May 2020 15:26:19 +0200 +Subject: [PATCH 2/5] Add zIPL rule for early audit capability + +--- + .../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +new file mode 100644 +index 0000000000..ce2bd60c59 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL' ++ ++description: |- ++ To ensure all processes can be audited, even those which start prior to the audit daemon, ++ check that all boot entries in /boot/loader/entries/*.conf have audit=1 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable audit, ++ add 
audit=1
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Each process on the system carries an "auditable" flag which indicates whether ++ its activities can be audited. Although auditd takes care of enabling ++ this for all processes which launch after it does, adding the kernel argument ++ ensures it is set for every process during boot. ++ ++severity: medium ++ ++ocil_clause: 'auditing is not enabled at boot time' ++ ++ocil: |- ++ To check that audit is enabled at boot time, check all boot entries with following command: ++ 
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable audit. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. + +From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 26 May 2020 15:06:12 +0200 +Subject: [PATCH 3/5] Add few more zIPL kernel option rules + +Add rules for following options: +- audit_backlog_limit +- selinux +- audit_backlog_limit +- enable_selinux +- page_poison +- pti +- slub_debug +- vsyscall +--- + .../rule.yml | 41 +++++++++++++++++++ + .../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++ + .../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++ + .../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++ + .../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++ + .../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++ + 6 files changed, 241 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +new file mode 100644 +index 0000000000..08c5b53207 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' ++ ++description: |- ++ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, ++ check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to extend the audit log events queue, ++ add 
audit_backlog_limit=8192
to /etc/kernel/cmdline. ++ ++rationale: |- ++ audit_backlog_limit sets the queue length for audit events awaiting transfer ++ to the audit daemon. Until the audit daemon is up and running, all log messages ++ are stored in this queue. If the queue is overrun during boot process, the action ++ defined by audit failure flag is taken. ++ ++severity: medium ++ ++ocil_clause: 'audit backlog limit is not configured' ++ ++ocil: |- ++ To check that all boot entries extend the backlog limit; ++ Check that all boot entries extend the log events queue: ++ 
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that does not extend the log events queue. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +new file mode 100644 +index 0000000000..e7a455b90c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -0,0 +1,37 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Ensure SELinux Not Disabled in zIPL' ++ ++description: |- ++ To ensure SELinux is not disabled at boot time, ++ check that no boot entry in /boot/loader/entries/*.conf has selinux=0 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++rationale: |- ++ Disabling a major host protection feature, such as SELinux, at boot time prevents ++ it from confining system services at boot time. Further, it increases ++ the chances that it will remain off during system operation. ++ ++severity: medium ++ ++ocil_clause: 'SELinux is disabled at boot time' ++ ++ocil: |- ++ To check that selinux is not disabled at boot time; ++ Check that no boot entry disables selinux: ++ 
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that disables SELinux. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +new file mode 100644 +index 0000000000..b8a2eecee6 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable page allocator poisoning in zIPL' ++ ++description: |- ++ To enable poisoning of free pages, ++ check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable page poisoning, ++ add 
page_poison=1
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed pages, so any modification or ++ reference to that page after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'page allocator poisoning is not enabled' ++ ++ocil: |- ++ To check that page poisoning is enabled at boot time, check all boot entries with following command: ++ 
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +new file mode 100644 +index 0000000000..4757871a5f +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' ++ ++description: |- ++ To enable Kernel page-table isolation, ++ check that all boot entries in /boot/loader/entries/*.conf have pti=on ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable page-table isolation, ++ add 
pti=on
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Kernel page-table isolation is a kernel feature that mitigates ++ the Meltdown security vulnerability and hardens the kernel ++ against attempts to bypass kernel address space layout ++ randomization (KASLR). ++ ++severity: medium ++ ++ocil_clause: 'Kernel page-table isolation is not enabled' ++ ++ocil: |- ++ To check that page-table isolation is enabled at boot time, check all boot entries with following command: ++ 
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +new file mode 100644 +index 0000000000..166dd41afd +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable SLUB/SLAB allocator poisoning in zIPL' ++ ++description: |- ++ To enable poisoning of SLUB/SLAB objects, ++ check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to extend the audit log events queue, ++ add 
slub_debug=P
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed objects, so any modification or ++ reference to that object after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'SLUB/SLAB poisoning is not enabled' ++ ++ocil: |- ++ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; ++ 
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that does not enable poisoning. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +new file mode 100644 +index 0000000000..6b95d16fb8 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Disable vsyscalls in zIPL' ++ ++description: |- ++ To disable use of virtual syscalls, ++ check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain 
image =
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run 
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to disable virtual syscalls, ++ add 
vsyscall=none
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed pages, so any modification or ++ reference to that page after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'vsyscalls are enabled' ++ ++ocil: |- ++ To check that virtual syscalls are disabled at boot time, check all boot entries with following command: ++ 
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++ 
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++ 
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. + +From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Jun 2020 13:29:39 +0200 +Subject: [PATCH 4/5] Fix formatting of zIPL rules + +
 is renderend in a separate line, while  is rendered inline.
+Add line breaks for better readability.
+---
+ .../bootloader-zipl/zipl_audit_argument/rule.yml       | 10 +++++-----
+ .../zipl_audit_backlog_limit_argument/rule.yml         | 10 +++++-----
+ .../bootloader-zipl/zipl_enable_selinux/rule.yml       |  8 ++++----
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
+ .../system/bootloader-zipl/zipl_pti_argument/rule.yml  | 10 +++++-----
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml  | 10 +++++-----
+ .../bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 10 +++++-----
+ 7 files changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index ce2bd60c59..16c0b3f89a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+ description: |-
+     To ensure all processes can be audited, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit=1
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to enable audit,
+-    add 
audit=1
 to /etc/kernel/cmdline.
++    add audit=1 to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     Each process on the system carries an "auditable" flag which indicates whether
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 08c5b53207..47a532d50f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
+ description: |-
+     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+-    add 
audit_backlog_limit=8192
 to /etc/kernel/cmdline.
++    add audit_backlog_limit=8192 to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     audit_backlog_limit sets the queue length for audit events awaiting transfer
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index e7a455b90c..5aa91c16aa 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
+ description: |-
+     To ensure SELinux is not disabled at boot time,
+     check that no boot entry in /boot/loader/entries/*.conf has selinux=0
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+ rationale: |-
+     Disabling a major host protection feature, such as SELinux, at boot time prevents
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index b8a2eecee6..8546325752 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
+ description: |-
+     To enable poisoning of free pages,
+     check that all boot entries in /boot/loader/entries/*.conf have page_poison=1
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.

+ 
+     To ensure that new kernels and boot entries continue to enable page poisoning,
+-    add 
page_poison=1
 to /etc/kernel/cmdline.
++    add page_poison=1 to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed pages, so any modification or
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 4757871a5f..eaef25ce40 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+ description: |-
+     To enable Kernel page-table isolation,
+     check that all boot entries in /boot/loader/entries/*.conf have pti=on
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to enable page-table isolation,
+-    add 
pti=on
 to /etc/kernel/cmdline.
++    add pti=on to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     Kernel page-table isolation is a kernel feature that mitigates
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 166dd41afd..68e91a92d6 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
+ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+-    add 
slub_debug=P
 to /etc/kernel/cmdline.
++    add slub_debug=P to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed objects, so any modification or
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 6b95d16fb8..8d39337f9e 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
+ description: |-
+     To disable use of virtual syscalls,
+     check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
 setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+-    And run 
zipl
 command so that /boot/bootmap is updated.
++    included in its options.

++    Make sure /etc/zipl.conf doesn't contain image =  setting,
++    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

++    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to disable virtual syscalls,
+-    add 
vsyscall=none
 to /etc/kernel/cmdline.
++    add vsyscall=none to /etc/kernel/cmdline.
+ 
+ rationale: |-
+     Poisoning writes an arbitrary value to freed pages, so any modification or
+
+From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 3 Jun 2020 13:08:07 +0200
+Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
+
+copy-pasta error
+---
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 8d39337f9e..9624b43349 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -16,11 +16,8 @@ description: |-
+     add vsyscall=none to /etc/kernel/cmdline.
+ 
+ rationale: |-
+-    Poisoning writes an arbitrary value to freed pages, so any modification or
+-    reference to that page after being freed or before being initialized will be
+-    detected and prevented.
+-    This prevents many types of use-after-free vulnerabilities at little performance cost.
+-    Also prevents leak of data and detection of corrupted memory.
++    Virtual Syscalls provide an opportunity of attack for a user who has control
++    of the return instruction pointer.
+ 
+ severity: medium
+ 
diff --git a/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
new file mode 100644
index 0000000..58339fa
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
@@ -0,0 +1,29 @@
+From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
+Date: Mon, 13 Jul 2020 17:52:35 +0200
+Subject: [PATCH] Fix SCAPVAL error SRC-15
+
+The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element
+in group `bootloader-grub2`, but this CPE isn't defined in the
+RHEL 6 CPE dictionary. All used CPEs should be defined in the
+dictionary.
+---
+ rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
+index bca8986f7a..1b696b88d3 100644
+--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
+@@ -47,6 +47,11 @@
+             
+             installed_env_has_gdm_package
+       
++      
++            Package grub2 is installed
++            
++            installed_env_has_grub2_package
++      
+       
+             Package libuser is installed
+             
diff --git a/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
new file mode 100644
index 0000000..1f77753
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
@@ -0,0 +1,250 @@
+From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
+Date: Tue, 7 Jul 2020 16:37:30 +0200
+Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products
+
+The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF
+group `bootloader-zipl` but the definition of the CPE was missing from
+the CPE dictionary in some datastreams, for example fedora datastream.
+This triggered error SRC-15 in NIST scapval tool.
+---
+ debian10/cpe/debian10-cpe-dictionary.xml       | 4 ++++
+ debian8/cpe/debian8-cpe-dictionary.xml         | 4 ++++
+ debian9/cpe/debian9-cpe-dictionary.xml         | 4 ++++
+ fedora/cpe/fedora-cpe-dictionary.xml           | 4 ++++
+ ol7/cpe/ol7-cpe-dictionary.xml                 | 4 ++++
+ ol8/cpe/ol8-cpe-dictionary.xml                 | 4 ++++
+ opensuse/cpe/opensuse-cpe-dictionary.xml       | 4 ++++
+ rhel6/cpe/rhel6-cpe-dictionary.xml             | 4 ++++
+ rhel7/cpe/rhel7-cpe-dictionary.xml             | 4 ++++
+ rhv4/cpe/rhv4-cpe-dictionary.xml               | 4 ++++
+ sle11/cpe/sle11-cpe-dictionary.xml             | 4 ++++
+ sle12/cpe/sle12-cpe-dictionary.xml             | 4 ++++
+ ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml   | 4 ++++
+ ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml   | 4 ++++
+ ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml   | 4 ++++
+ wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++
+ wrlinux8/cpe/wrlinux8-cpe-dictionary.xml       | 4 ++++
+ 19 files changed, 76 insertions(+)
+
+diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
+index f2dbd09cfc..ddb68c34bd 100644
+--- a/debian10/cpe/debian10-cpe-dictionary.xml
++++ b/debian10/cpe/debian10-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
+index f385709052..24bbca69cd 100644
+--- a/debian8/cpe/debian8-cpe-dictionary.xml
++++ b/debian8/cpe/debian8-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
+index bc90a12bae..d5595fd594 100644
+--- a/debian9/cpe/debian9-cpe-dictionary.xml
++++ b/debian9/cpe/debian9-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
+index ff7cebc322..bef1337fc9 100644
+--- a/fedora/cpe/fedora-cpe-dictionary.xml
++++ b/fedora/cpe/fedora-cpe-dictionary.xml
+@@ -107,4 +107,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
+index 613f853a6d..5d4691aaf6 100644
+--- a/ol7/cpe/ol7-cpe-dictionary.xml
++++ b/ol7/cpe/ol7-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
+index 912fe01346..35167b1f70 100644
+--- a/ol8/cpe/ol8-cpe-dictionary.xml
++++ b/ol8/cpe/ol8-cpe-dictionary.xml
+@@ -67,4 +67,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
+index 7f485b800e..6b95e46d3f 100644
+--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
+@@ -87,4 +87,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
+index 2c8a82ebc5..bca8986f7a 100644
+--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
+@@ -87,4 +87,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
+index f232b7ed29..bc2aa869e8 100644
+--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
+@@ -102,4 +102,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
+index db1b4b239b..02450d6efc 100644
+--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
+index 1b6b3e2518..b7cb4e1fd5 100644
+--- a/sle11/cpe/sle11-cpe-dictionary.xml
++++ b/sle11/cpe/sle11-cpe-dictionary.xml
+@@ -77,4 +77,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
+index b1b66e1294..73cddd7740 100644
+--- a/sle12/cpe/sle12-cpe-dictionary.xml
++++ b/sle12/cpe/sle12-cpe-dictionary.xml
+@@ -77,4 +77,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+index 7f3ce4271b..3f5447741b 100644
+--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+index 83f0c8c516..e3e842842b 100644
+--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+index 77b78d74ec..897673c6f5 100644
+--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+index cc4e806a4d..ef7e803505 100644
+--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+@@ -71,4 +71,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
+diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+index 824c575a6a..7184ebfd0b 100644
+--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+@@ -71,4 +71,8 @@
+             
+             installed_env_has_yum_package
+       
++      
++            System uses zipl
++            installed_env_has_zipl_package
++      
+ 
diff --git a/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
new file mode 100644
index 0000000..398abcc
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
@@ -0,0 +1,88 @@
+From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 22 Jul 2020 09:52:50 +0200
+Subject: [PATCH] Add grub2 platform to grub2 kernel option rules
+
+This will make sure these rules are applicable only when grub2
+(grub2-pc) is installed.
+---
+ linux_os/guide/system/auditing/grub2_audit_argument/rule.yml    | 2 ++
+ .../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +-
+ .../system/permissions/mounting/grub2_nousb_argument/rule.yml   | 2 ++
+ .../guide/system/permissions/restrictions/poisoning/group.yml   | 2 ++
+ .../restrictions/poisoning/grub2_page_poison_argument/rule.yml  | 2 +-
+ .../restrictions/poisoning/grub2_slub_debug_argument/rule.yml   | 2 +-
+ 7 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index 00cb7f9b6c..5f3a47a776 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -102,6 +102,8 @@ warnings:
+ {{% endif %}}
+         
+ 
++platform: grub2
++
+ template:
+     name: grub2_bootloader_argument
+     vars:
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index 6cab6f7bfe..aa95957b58 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+         
+ 
+-platform: machine
++platform: grub2
+ 
+ template:
+     name: grub2_bootloader_argument
+diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+index a3c1f48231..407ba2c069 100644
+--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
++++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+@@ -37,3 +37,5 @@ warnings:
+         Disabling all kernel support for USB will cause problems for systems
+         with USB-based keyboards, mice, or printers. This configuration is
+         infeasible for systems which require USB devices, which is common.
++
++platform: grub2
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+index 6a7a370f2b..030a3e9918 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+@@ -6,3 +6,5 @@ description: |-
+     Memory Poisoning consists of writing a special value to uninitialized or freed memory.
+     Poisoning can be used as a mechanism to prevent leak of information and detection of
+     corrupted memory.
++
++platform: machine
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index e3047ef223..2d97ec75ea 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+         
+ 
+-platform: machine
++platform: grub2
+ 
+ template:
+     name: grub2_bootloader_argument
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index 024c93f18b..39ca33b77a 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+         
+ 
+-platform: machine
++platform: grub2
+ 
+ template:
+     name: grub2_bootloader_argument
diff --git a/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
new file mode 100644
index 0000000..3e89401
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
@@ -0,0 +1,954 @@
+From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 1 Jul 2020 16:12:35 +0200
+Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
+
+Create initial version of zIPL specific BLS entries
+template by copying bls_entries_option template.
+---
+ .../template_OVAL_zipl_bls_entries_option     | 32 +++++++++++++++++++
+ ssg/templates.py                              |  5 +++
+ 2 files changed, 37 insertions(+)
+ create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..a19bd5a89c
+--- /dev/null
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -0,0 +1,32 @@
++
++  
++    
++      Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}
++      {{{- oval_affected(products) }}}
++      Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.
++    
++    
++        
++    
++  
++
++  
++    
++    
++  
++
++  
++    ^/boot/loader/entries/.*\.conf$
++    ^options (.*)$
++    1
++  
++
++  
++    ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$
++  
++
+diff --git a/ssg/templates.py b/ssg/templates.py
+index 2795267abd..fc09416abe 100644
+--- a/ssg/templates.py
++++ b/ssg/templates.py
+@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
+     return data
+ 
+ 
++@template(["oval"])
++def bls_entries_option(data, lang):
++    data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
++    if lang == "oval":
++        # escape dot, this is used in oval regex
++        data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
++        # replace . with _, this is used in test / object / state ids
++        data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
++    return data
++
++
++@template(["oval"])
++def zipl_bls_entries_option(data, lang):
++    return bls_entries_option(data, lang)
++
++
+ class Builder(object):
+     """
+     Class for building all templated content for a given product.
+
+From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 14:11:04 +0200
+Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
+
+Extend zipl_bls_entries_option template to check that the kernel option
+is also configure in /etc/kernel/cmdline.
+The presence of the argument in /etc/kernel/cmdline ensures that newly
+installed kernels will be configure if the option.
+---
+ .../template_OVAL_zipl_bls_entries_option     | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+index a19bd5a89c..9af1bcfbee 100644
+--- a/shared/templates/template_OVAL_zipl_bls_entries_option
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -6,8 +6,10 @@
+       Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.
+     
+     
+-        
++      
++      
+     
+   
+ 
+@@ -25,6 +27,19 @@
+     1
+   
+ 
++  
++    
++    
++  
++  
++    /etc/kernel/cmdline
++    ^(.*)$
++    1
++  
++
+   
+     ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$
+
+From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 14:12:32 +0200
+Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
+
+---
+ .../template_ANSIBLE_zipl_bls_entries_option  | 48 +++++++++++++++++++
+ .../template_BASH_zipl_bls_entries_option     | 12 +++++
+ ssg/templates.py                              |  2 +-
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
+ create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
+
+diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..c0cb131b82
+--- /dev/null
++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+@@ -0,0 +1,48 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = true
++# strategy = configure
++# complexity = medium
++# disruption = low
++
++- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
++  block:
++    - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
++      find:
++        paths: "/boot/loader/entries/"
++        contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
++        patterns: "*.conf"
++      register: entries_options
++
++    - name: "Update boot entries options"
++      command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
++      when: entries_options is defined and entries_options.examined != entries_options.matched
++      # The conditional above assumes that only *.conf files are present in /boot/loader/entries
++      # Then, the number of conf files is the same as examined files
++
++    - name: "Check if /etc/kernel/cmdline exists"
++      stat:
++        path: /etc/kernel/cmdline
++      register: cmdline_stat
++
++    - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++      find:
++        paths: "/etc/kernel/"
++        patterns: "cmdline"
++        contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
++      register: cmdline_find
++
++    - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++      lineinfile:
++        create: yes
++        path: "/etc/kernel/cmdline"
++        line: '{{{ ARG_NAME_VALUE }}}'
++      when: cmdline_stat is defined and not cmdline_stat.stat.exists
++
++    - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++      lineinfile:
++        path: "/etc/kernel/cmdline"
++        backrefs: yes
++        regexp: "^(.*)$"
++        line: '\1 {{{ ARG_NAME_VALUE }}}'
++      when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
++
+diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..9fc8865486
+--- /dev/null
++++ b/shared/templates/template_BASH_zipl_bls_entries_option
+@@ -0,0 +1,12 @@
++# platform = Red Hat Enterprise Linux 8
++
++# Correct BLS option using grubby, which is a thin wrapper around BLS operations
++grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
++
++# Ensure new kernels and boot entries retain the boot option
++if [ ! -f /etc/kernel/cmdline ]; then
++    echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
++elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
++    echo " audit=1" >> /etc/kernel/cmdline
++    sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
++fi
+diff --git a/ssg/templates.py b/ssg/templates.py
+index fc09416abe..a27fbb6cb6 100644
+--- a/ssg/templates.py
++++ b/ssg/templates.py
+@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
+     return data
+ 
+ 
+-@template(["oval"])
++@template(["ansible", "bash", "oval"])
+ def zipl_bls_entries_option(data, lang):
+     return bls_entries_option(data, lang)
+ 
+
+From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 3 Jul 2020 15:50:56 +0200
+Subject: [PATCH 04/18] Enable zIPL in argument rules
+
+---
+ .../system/bootloader-zipl/zipl_audit_argument/rule.yml     | 6 ++++++
+ .../zipl_audit_backlog_limit_argument/rule.yml              | 6 ++++++
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml      | 6 ++++++
+ .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml       | 6 ++++++
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml  | 6 ++++++
+ 6 files changed, 36 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 624b4e7041..894bf7995f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that doesn't enable audit.
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: audit
++    arg_value: '1'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index faf114591a..12334c9905 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: audit_backlog_limit
++    arg_value: '8192'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 866664c01b..f5a36ee1b3 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: page_poison
++    arg_value: '1'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 2f02d9668c..168dae46a1 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -27,3 +27,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: pti
++    arg_value: 'on'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 0cb10d3cd8..84a374e36f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that does not enable poisoning.
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: slub_debug
++    arg_value: 'P'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index f79adeb083..c37e8bbefd 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -25,3 +25,9 @@ ocil: |-
+   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+ 
+ platform: machine
++
++template:
++  name: zipl_bls_entries_option
++  vars:
++    arg_name: vsyscall
++    arg_value: 'none'
+
+From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Sat, 4 Jul 2020 01:15:49 +0200
+Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
+
+Fix typo
+---
+ .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 12334c9905..15729dc6b6 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
+ ocil: |-
+   To check that all boot entries extend the backlog limit;
+   Check that all boot entries extend the log events queue:
+-  
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf

++  
sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+ 
+ platform: machine
+
+From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 12:00:10 +0200
+Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
+
+Description about how to ensure that new boot entries continue compliant
+was incorrect due to copy-pasta mistake.
+---
+ .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 84a374e36f..83e043179d 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,7 +8,7 @@ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
+     included in its options.

+-    To ensure that new kernels and boot entries continue to extend the audit log events queue,
++    To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
+     add slub_debug=P to /etc/kernel/cmdline.
+ 
+ rationale: |-
+
+From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 12:06:56 +0200
+Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
+
+---
+ .../system/bootloader-zipl/zipl_audit_argument/rule.yml     | 3 +++
+ .../zipl_audit_backlog_limit_argument/rule.yml              | 3 +++
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml      | 3 +++
+ .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml       | 3 +++
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml  | 3 +++
+ 7 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 894bf7995f..b1307ef3f2 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83321-0
++
+ ocil_clause: 'auditing is not enabled at boot time'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 15729dc6b6..18391bee6c 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -19,6 +19,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83341-8
++
+ ocil_clause: 'audit backlog limit is not configured'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index f5a36ee1b3..7ffea8ce6a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83351-7
++
+ ocil_clause: 'page allocator poisoning is not enabled'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 168dae46a1..6fd1082292 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -19,6 +19,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83361-6
++
+ ocil_clause: 'Kernel page-table isolation is not enabled'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 83e043179d..c499140c35 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83371-5
++
+ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index c37e8bbefd..7edd43074f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -17,6 +17,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83381-4
++
+ ocil_clause: 'vsyscalls are enabled'
+ 
+ ocil: |-
+
+From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 14:36:28 +0200
+Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
+
+These rules check and ensure configuration of BLS boot options used by
+zIPL.
+---
+ rhel8/profiles/ospp.profile | 8 ++++++++
+ rhel8/profiles/stig.profile | 6 ++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 80e4b71fff..d3732fa805 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -419,3 +419,11 @@ selections:
+     # zIPl specific rules
+     - zipl_bls_entries_only
+     - zipl_bootmap_is_up_to_date
++    - zipl_audit_argument
++    - zipl_audit_backlog_limit_argument
++    - zipl_slub_debug_argument
++    - zipl_page_poison_argument
++    - zipl_vsyscall_argument
++    - zipl_vsyscall_argument.role=unscored
++    - zipl_vsyscall_argument.severity=info
++    - zipl_pti_argument
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index cfc2160be1..69d5222a32 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -49,3 +49,9 @@ selections:
+     # Unselect zIPL rules from OSPP
+     - "!zipl_bls_entries_only"
+     - "!zipl_bootmap_is_up_to_date"
++    - "!zipl_audit_argument"
++    - "!zipl_audit_backlog_limit_argument"
++    - "!zipl_page_poison_argument"
++    - "!zipl_pti_argument"
++    - "!zipl_slub_debug_argument"
++    - "!zipl_vsyscall_argument"
+
+From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 22:30:25 +0200
+Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
+
+Just like rule selection, allows rule refinements to be unselected, or "undone".
+---
+ build-scripts/compile_profiles.py | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
+index 0967252348..d1ce8984b2 100644
+--- a/build-scripts/compile_profiles.py
++++ b/build-scripts/compile_profiles.py
+@@ -3,6 +3,7 @@
+ import argparse
+ import sys
+ import os.path
++from copy import deepcopy
+ from glob import glob
+ 
+ import ssg.build_yaml
+@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
+             updated_variables.update(self.variables)
+             self.variables = updated_variables
+ 
+-            updated_refinements = dict(extended_profile.refine_rules)
++            extended_refinements = deepcopy(extended_profile.refine_rules)
++            updated_refinements = self._subtract_refinements(extended_refinements)
+             updated_refinements.update(self.refine_rules)
+             self.refine_rules = updated_refinements
+ 
+@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
+ 
+         self.resolved = True
+ 
++    def _subtract_refinements(self, extended_refinements):
++        """
++        Given a dict of rule refinements from the extended profile,
++        "undo" every refinement prefixed with '!' in this profile.
++        """
++        for rule, refinements in list(self.refine_rules.items()):
++            if rule.startswith("!"):
++                for prop, val in refinements:
++                    extended_refinements[rule[1:]].remove((prop, val))
++                del self.refine_rules[rule]
++        return extended_refinements
++
+ 
+ def create_parser():
+     parser = argparse.ArgumentParser()
+
+From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 9 Jul 2020 22:32:32 +0200
+Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
+
+Remove the zIPl rule refinementes from STIG profile
+---
+ rhel8/profiles/stig.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 69d5222a32..53647475aa 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -55,3 +55,5 @@ selections:
+     - "!zipl_pti_argument"
+     - "!zipl_slub_debug_argument"
+     - "!zipl_vsyscall_argument"
++    - "!zipl_vsyscall_argument.role=unscored"
++    - "!zipl_vsyscall_argument.severity=info"
+
+From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 09:38:57 +0200
+Subject: [PATCH 11/18] Update stable test for OSPP Profile
+
+I just copied the resolved profile to profile_stability directory.
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 08dcccf24c..5aa3592496 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -168,6 +168,7 @@ selections:
+ - service_rngd_enabled
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
++- ssh_client_rekey_limit
+ - sshd_disable_empty_passwords
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+@@ -213,8 +214,14 @@ selections:
+ - sysctl_user_max_user_namespaces
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
++- zipl_audit_argument
++- zipl_audit_backlog_limit_argument
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
++- zipl_page_poison_argument
++- zipl_pti_argument
++- zipl_slub_debug_argument
++- zipl_vsyscall_argument
+ - var_sshd_set_keepalive=0
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+@@ -238,11 +245,12 @@ selections:
+ - var_accounts_passwords_pam_faillock_deny=3
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - var_accounts_passwords_pam_faillock_unlock_time=never
++- var_ssh_client_rekey_limit_size=1G
++- var_ssh_client_rekey_limit_time=1hour
+ - grub2_vsyscall_argument.role=unscored
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
+-- ssh_client_rekey_limit
+-- var_ssh_client_rekey_limit_size=1G
+-- var_ssh_client_rekey_limit_time=1hour
++- zipl_vsyscall_argument.role=unscored
++- zipl_vsyscall_argument.severity=info
+ title: Protection Profile for General Purpose Operating Systems
+
+From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 15:15:25 +0200
+Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
+
+---
+ .../tests/correct_option.pass.sh                 | 16 ++++++++++++++++
+ .../tests/missing_in_cmdline.fail.sh             | 14 ++++++++++++++
+ .../tests/missing_in_entry.fail.sh               | 14 ++++++++++++++
+ 3 files changed, 44 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+new file mode 100644
+index 0000000000..a9bd49dd0b
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -0,0 +1,16 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure boot loader entries contain audit=1
++for file in /boot/loader/entries/*.conf
++do
++    if ! grep -q '^options.*audit=1.*$' "$file" ; then
++        sed -i '/^options / s/$/audit=1/' "$file"
++    fi
++done
++
++# Make sure /etc/kernel/cmdline contains audit=1
++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++    echo "audit=1" >> /etc/kernel/cmdline
++fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+new file mode 100644
+index 0000000000..d4d1d978c8
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure boot loader entries contain audit=1
++for file in /boot/loader/entries/*.conf
++do
++    if ! grep -q '^options.*audit=1.*$' "$file" ; then
++        sed -i '/^options / s/$/audit=1/' "$file"
++    fi
++done
++
++# Make sure /etc/kernel/cmdline doesn't contain audit=1
++sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+new file mode 100644
+index 0000000000..3e412c0542
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Remove audit=1 from all boot entries
++sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
++# But make sure one boot loader entry contains audit=1
++sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
++sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
++
++# Make sure /etc/kernel/cmdline contains audit=1
++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++    echo "audit=1" >> /etc/kernel/cmdline
++fi
+
+From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 15:34:52 +0200
+Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
+
+The template shouldn't have any hardcoded values.
+---
+ shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
+index 9fc8865486..dde8c948f7 100644
+--- a/shared/templates/template_BASH_zipl_bls_entries_option
++++ b/shared/templates/template_BASH_zipl_bls_entries_option
+@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ if [ ! -f /etc/kernel/cmdline ]; then
+     echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+ elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+-    echo " audit=1" >> /etc/kernel/cmdline
+-    sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
++    sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
+ fi
+
+From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 16:08:26 +0200
+Subject: [PATCH 14/18] Improve conditional check for the grubby command
+
+Let's not trust that /boot/loader/entries/ only contains *.conf files.
+Count the number of conf files and how many set the propper options.
+---
+ .../template_ANSIBLE_zipl_bls_entries_option       | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+index c0cb131b82..bccad2267c 100644
+--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+@@ -6,18 +6,22 @@
+ 
+ - name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+   block:
+-    - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
++    - name: "Check how many boot entries exist "
++      find:
++        paths: "/boot/loader/entries/"
++        patterns: "*.conf"
++      register: n_entries
++
++    - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
+       find:
+         paths: "/boot/loader/entries/"
+         contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+         patterns: "*.conf"
+-      register: entries_options
++      register: n_entries_options
+ 
+     - name: "Update boot entries options"
+       command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+-      when: entries_options is defined and entries_options.examined != entries_options.matched
+-      # The conditional above assumes that only *.conf files are present in /boot/loader/entries
+-      # Then, the number of conf files is the same as examined files
++      when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
+ 
+     - name: "Check if /etc/kernel/cmdline exists"
+       stat:
+
+From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 16:17:27 +0200
+Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
+
+Append "audit=1" space from last option.
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh            | 2 +-
+ .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh        | 2 +-
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh          | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index a9bd49dd0b..5fcbcc5667 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -6,7 +6,7 @@
+ for file in /boot/loader/entries/*.conf
+ do
+     if ! grep -q '^options.*audit=1.*$' "$file" ; then
+-        sed -i '/^options / s/$/audit=1/' "$file"
++        sed -i '/^options / s/$/ audit=1/' "$file"
+     fi
+ done
+ 
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+index d4d1d978c8..b75165f904 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -6,7 +6,7 @@
+ for file in /boot/loader/entries/*.conf
+ do
+     if ! grep -q '^options.*audit=1.*$' "$file" ; then
+-        sed -i '/^options / s/$/audit=1/' "$file"
++        sed -i '/^options / s/$/ audit=1/' "$file"
+     fi
+ done
+ 
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index 3e412c0542..e3d342d533 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -5,7 +5,7 @@
+ # Remove audit=1 from all boot entries
+ sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+ # But make sure one boot loader entry contains audit=1
+-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
++sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
+ sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+ 
+ # Make sure /etc/kernel/cmdline contains audit=1
+
+From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 16:29:06 +0200
+Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
+
+These test scenarios can be run on any OS that supports BLS and provides
+grubby.
+But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
+has s390utils-base installed).
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh           | 3 +--
+ .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh       | 3 +--
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh         | 3 +--
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index 5fcbcc5667..73ed0eae0f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+ 
+ # Make sure boot loader entries contain audit=1
+ for file in /boot/loader/entries/*.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+index b75165f904..3af83d30d8 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+ 
+ # Make sure boot loader entries contain audit=1
+ for file in /boot/loader/entries/*.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index e3d342d533..142f75ba60 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+ 
+ # Remove audit=1 from all boot entries
+ sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+
+From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
+From: Watson Yuuma Sato 
+Date: Fri, 10 Jul 2020 16:35:55 +0200
+Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
+
+Co-authored-by: vojtapolasek 
+---
+ shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+index 9af1bcfbee..502d5e7d9a 100644
+--- a/shared/templates/template_OVAL_zipl_bls_entries_option
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -7,7 +7,7 @@
+     
+     
+       
++      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
+       
+     
+
+From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 10 Jul 2020 17:15:46 +0200
+Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
+
+/etc/kernel/cmdline is not always present. Lest suppress any error
+message about absent file in the test scenarios.
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh            | 2 +-
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh          | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index 73ed0eae0f..7a828837fe 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -10,6 +10,6 @@ do
+ done
+ 
+ # Make sure /etc/kernel/cmdline contains audit=1
+-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+     echo "audit=1" >> /etc/kernel/cmdline
+ fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index 142f75ba60..5650cc0a74 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
+ sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+ 
+ # Make sure /etc/kernel/cmdline contains audit=1
+-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+     echo "audit=1" >> /etc/kernel/cmdline
+ fi
diff --git a/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
new file mode 100644
index 0000000..81d85cc
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
@@ -0,0 +1,884 @@
+From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 25 Jun 2020 18:29:31 +0200
+Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
+
+Instead of having each zIPL argument rule check for BLS compliance,
+let's split into its own rule.
+---
+ .../zipl_audit_argument/rule.yml              |  6 -----
+ .../rule.yml                                  |  6 -----
+ .../zipl_bls_entries_only/rule.yml            | 24 +++++++++++++++++++
+ .../zipl_enable_selinux/rule.yml              |  6 -----
+ .../zipl_page_poison_argument/rule.yml        |  6 -----
+ .../zipl_pti_argument/rule.yml                |  6 -----
+ .../zipl_slub_debug_argument/rule.yml         |  6 -----
+ .../zipl_vsyscall_argument/rule.yml           |  6 -----
+ 8 files changed, 24 insertions(+), 42 deletions(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 2d31ef8ee7..1211a53295 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To ensure all processes can be audited, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit=1
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to enable audit,
+@@ -30,10 +28,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable audit.
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 40db232257..7d88e38686 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+@@ -31,10 +29,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+new file mode 100644
+index 0000000000..b6ccbb5343
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -0,0 +1,24 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Ensure all zIPL boot entries are BLS compliant'
++
++description: |-
++    Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
++    by checking that /etc/zipl.conf doesn't contain image = .
++
++rationale: |-
++    {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
++    configuration.
++
++severity: medium
++
++ocil_clause: 'a non BLS boot entry is configured'
++
++ocil: |-
++  Check that no boot image file is specified in /etc/zipl.conf:
++  
grep -R "^image\s*=" /etc/zipl.conf

++  No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index 8d28d5495f..1c3bfeb246 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To ensure SELinux is not disabled at boot time,
+     check that no boot entry in /boot/loader/entries/*.conf has selinux=0
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+ rationale: |-
+@@ -27,10 +25,6 @@ ocil: |-
+     
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf

+     No line should be returned, each line returned is a boot entry that disables SELinux.
+ 
+-    Check that no image file is specified in /etc/zipl.conf:
+-    
grep -R "^image\s*=" /etc/zipl.conf

+-    No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+     And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+     and /etc/zipl.conf:
+     
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 0a8e9a41e2..6dbfd501b7 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable poisoning of free pages,
+     check that all boot entries in /boot/loader/entries/*.conf have page_poison=1
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.

+ 
+     To ensure that new kernels and boot entries continue to enable page poisoning,
+@@ -31,10 +29,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 20c1448cc8..555fdf2b66 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable Kernel page-table isolation,
+     check that all boot entries in /boot/loader/entries/*.conf have pti=on
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to enable page-table isolation,
+@@ -30,10 +28,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 54ac688ea0..dd7865bf81 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+@@ -31,10 +29,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that does not enable poisoning.
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index c5979a2016..18b7ade460 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To disable use of virtual syscalls,
+     check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none
+     included in its options.

+-    Make sure /etc/zipl.conf doesn't contain image =  setting,
+-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).

+     And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to disable virtual syscalls,
+@@ -28,10 +26,6 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+ 
+-  Check that no image file is specified in /etc/zipl.conf:
+-  
grep -R "^image\s*=" /etc/zipl.conf

+-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+   And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+   and /etc/zipl.conf:
+   
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+
+From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 2 Jul 2020 09:52:39 +0200
+Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
+
+---
+ .../zipl_bls_entries_only/oval/shared.xml     | 27 +++++++++++++++++++
+ .../tests/image_configured.fail.sh            |  6 +++++
+ .../tests/no_image.pass.sh                    |  7 +++++
+ 3 files changed, 40 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+new file mode 100644
+index 0000000000..41e9773814
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -0,0 +1,27 @@
++
++  
++    
++      Ensure zIPL entries are BLS compliant
++      {{{- oval_affected(products) }}}
++      Check if /etc/zipl.conf configures any boot entry
++    
++    
++      
++    
++  
++
++  
++    
++  
++
++  
++    ^/etc/zipl.conf$
++    ^image\s*=.*$
++    1
++  
++
++
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+new file mode 100644
+index 0000000000..e3adb99638
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure no image configured in zipl config file
++echo 'image = /boot/image' >> /etc/zipl.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+new file mode 100644
+index 0000000000..47626442f6
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure no image configured in zipl config file
++sed -Ei '/^image\s*=/d' /etc/zipl.conf
++true
+
+From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 2 Jul 2020 11:09:08 +0200
+Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
+
+Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
+is tricky and can lead to broken entries or removal of all of them.
+---
+ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml    | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+index b6ccbb5343..f792c5257f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -22,3 +22,8 @@ ocil: |-
+   No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+ 
+ platform: machine
++
++warnings:
++  - general: |-
++      To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
++      automated remediation for this rule is not available.
+
+From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 25 Jun 2020 18:51:04 +0200
+Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
+
+Instead of having each zIPL argument rule check if zIPL bootmap is up to
+date, let's split it into its own rule.
+---
+ .../zipl_audit_argument/rule.yml              |  6 -----
+ .../rule.yml                                  |  7 -----
+ .../zipl_bootmap_is_up_to_date/rule.yml       | 27 +++++++++++++++++++
+ .../zipl_enable_selinux/rule.yml              |  6 -----
+ .../zipl_page_poison_argument/rule.yml        |  7 -----
+ .../zipl_pti_argument/rule.yml                |  7 -----
+ .../zipl_slub_debug_argument/rule.yml         |  7 -----
+ .../zipl_vsyscall_argument/rule.yml           |  7 -----
+ 8 files changed, 27 insertions(+), 47 deletions(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 1211a53295..624b4e7041 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -8,7 +8,6 @@ description: |-
+     To ensure all processes can be audited, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit=1
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+ 
+     To ensure that new kernels and boot entries continue to enable audit,
+     add audit=1 to /etc/kernel/cmdline.
+@@ -28,9 +27,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable audit.
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 7d88e38686..faf114591a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+-
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+     add audit_backlog_limit=8192 to /etc/kernel/cmdline.
+ 
+@@ -29,9 +27,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+new file mode 100644
+index 0000000000..082562d11e
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+@@ -0,0 +1,27 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Ensure zIPL bootmap is up to date'
++
++description: |-
++    Make sure that /boot/bootmap is up to date.

++    Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to
++    be updated to reflect the changes.

++    Run zipl command to generate an updated /boot/bootmap.
++
++rationale: |-
++    The file /boot/bootmap contains all boot data, keeping it up to date is crucial to
++    boot correct kernel and options.
++
++severity: medium
++
++ocil_clause: 'the bootmap is outdated'
++
++ocil: |-
++  Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
++  and /etc/zipl.conf:
++  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

++  No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index 1c3bfeb246..b0bc0fc374 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -8,7 +8,6 @@ description: |-
+     To ensure SELinux is not disabled at boot time,
+     check that no boot entry in /boot/loader/entries/*.conf has selinux=0
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+ 
+ rationale: |-
+     Disabling a major host protection feature, such as SELinux, at boot time prevents
+@@ -25,9 +24,4 @@ ocil: |-
+     
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf

+     No line should be returned, each line returned is a boot entry that disables SELinux.
+ 
+-    And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-    and /etc/zipl.conf:
+-    
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-    No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 6dbfd501b7..866664c01b 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable poisoning of free pages,
+     check that all boot entries in /boot/loader/entries/*.conf have page_poison=1
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.

+-
+     To ensure that new kernels and boot entries continue to enable page poisoning,
+     add page_poison=1 to /etc/kernel/cmdline.
+ 
+@@ -29,9 +27,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 555fdf2b66..2f02d9668c 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable Kernel page-table isolation,
+     check that all boot entries in /boot/loader/entries/*.conf have pti=on
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+-
+     To ensure that new kernels and boot entries continue to enable page-table isolation,
+     add pti=on to /etc/kernel/cmdline.
+ 
+@@ -28,9 +26,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index dd7865bf81..0cb10d3cd8 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To enable poisoning of SLUB/SLAB objects,
+     check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+-
+     To ensure that new kernels and boot entries continue to extend the audit log events queue,
+     add slub_debug=P to /etc/kernel/cmdline.
+ 
+@@ -29,9 +27,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that does not enable poisoning.
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 18b7ade460..f79adeb083 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+     To disable use of virtual syscalls,
+     check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none
+     included in its options.

+-    And run zipl command so that /boot/bootmap is updated.


+-
+     To ensure that new kernels and boot entries continue to disable virtual syscalls,
+     add vsyscall=none to /etc/kernel/cmdline.
+ 
+@@ -26,9 +24,4 @@ ocil: |-
+   
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf

+   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+ 
+-  And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
+-  and /etc/zipl.conf:
+-  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap

+-  No line should be returned, if a line is returned /boot/bootmap needs to be regenerated.
+-
+ platform: machine
+
+From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 2 Jul 2020 15:59:31 +0200
+Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
+
+---
+ .../oval/shared.xml                           | 46 +++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+new file mode 100644
+index 0000000000..6c446cbe59
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+@@ -0,0 +1,46 @@
++
++  
++    
++      Ensure zIPL bootmap is up to date
++      {{{- oval_affected(products) }}}
++      Check if /boot/bootmap is up to date
++    
++    
++      
++    
++  
++
++  
++    
++    
++    
++  
++
++  
++    /boot/bootmap
++  
++
++  
++  
++    
++  
++  
++    
++  
++  
++    /etc/zipl.conf
++  
++
++  
++    
++  
++  
++    
++  
++  
++    ^/boot/loader/entries/.*\.conf$
++  
++
+
+From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 2 Jul 2020 16:15:35 +0200
+Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
+
+These tests mock existence of zIPL files.
+---
+ .../tests/newer_boot_entry.fail.sh                     | 10 ++++++++++
+ .../tests/newer_zipl_conf.fail.sh                      | 10 ++++++++++
+ .../tests/up_to_date.pass.sh                           |  9 +++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+new file mode 100644
+index 0000000000..728c6b7bdb
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /etc/zipl.conf
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/bootmap
++sleep 2
++touch /boot/loader/entries/zipl-entry-2.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+new file mode 100644
+index 0000000000..1ae4d631ee
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/loader/entries/zipl-entry-2.conf
++touch /boot/bootmap
++sleep 2
++touch /etc/zipl.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+new file mode 100644
+index 0000000000..7981ba8c5c
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /etc/zipl.conf
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/loader/entries/zipl-entry-2.conf
++touch /boot/bootmap
+
+From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 3 Jul 2020 18:35:06 +0200
+Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
+
+---
+ .../ansible/shared.yml                        | 24 +++++++++++++++++++
+ .../zipl_bootmap_is_up_to_date/bash/shared.sh |  3 +++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+new file mode 100644
+index 0000000000..e545eacc13
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+@@ -0,0 +1,24 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++- name: "Ensure zIPL bootmap is up to date"
++  block:
++    - name: "Obtain stats of /boot/bootmap"
++      stat:
++        path: /boot/bootmap
++      register: boot_bootmap
++
++    - name: "Obtain stats of /etc/zipl.conf"
++      stat:
++        path: /etc/zipl.conf
++      register: zipl_conf
++
++    # TODO: handle /boot/loader/entries/*.conf
++
++    - name: "Update zIPL bootmap"
++      command: /usr/sbin/zipl
++      changed_when: True
++      when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+new file mode 100644
+index 0000000000..2cf7e388f0
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+@@ -0,0 +1,3 @@
++# platform = Red Hat Enterprise Linux 8
++
++/usr/bin/zipl
+
+From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 1 Jul 2020 17:16:41 +0200
+Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
+
+---
+ rhel8/profiles/ospp.profile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 07d32b814d..80e4b71fff 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -415,3 +415,7 @@ selections:
+     - ssh_client_rekey_limit
+     - var_ssh_client_rekey_limit_size=1G
+     - var_ssh_client_rekey_limit_time=1hour
++
++    # zIPl specific rules
++    - zipl_bls_entries_only
++    - zipl_bootmap_is_up_to_date
+
+From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 14:03:21 +0200
+Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
+
+---
+ .../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh   | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+index 2cf7e388f0..2310ca060d 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+@@ -1,3 +1,3 @@
+ # platform = Red Hat Enterprise Linux 8
+ 
+-/usr/bin/zipl
++/usr/sbin/zipl
+
+From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 14:06:22 +0200
+Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
+
+There can be leading spaces before 'image'.
+---
+ .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml       | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+index 41e9773814..f68d91c128 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -20,7 +20,7 @@
+   
+     ^/etc/zipl.conf$
+-    ^image\s*=.*$
++    ^\s*image\s*=.*$
+     1
+   
+ 
+
+From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 14:10:22 +0200
+Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
+
+There is no need to perform pattern match, the check just needs to
+examine /etc/zipl.conf file.
+---
+ .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml       | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+index f68d91c128..1ebf03ee37 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -19,7 +19,7 @@
+ 
+   
+-    ^/etc/zipl.conf$
++    /etc/zipl.conf
+     ^\s*image\s*=.*$
+     1
+   
+
+From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 14:13:26 +0200
+Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
+
+Add RHEL-8 CCE identifiers for:
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
+---
+ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml      | 3 +++
+ .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+index f792c5257f..67cc061ce3 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -14,6 +14,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83485-3
++
+ ocil_clause: 'a non BLS boot entry is configured'
+ 
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+index 082562d11e..da9411d00b 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+@@ -16,6 +16,9 @@ rationale: |-
+ 
+ severity: medium
+ 
++identifiers:
++    cce@rhel8: 83486-1
++
+ ocil_clause: 'the bootmap is outdated'
+ 
+ ocil: |-
+
+From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 14:16:58 +0200
+Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
+
+Update the profile reference file.
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index b0d7672c36..08dcccf24c 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -213,6 +213,8 @@ selections:
+ - sysctl_user_max_user_namespaces
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
++- zipl_bls_entries_only
++- zipl_bootmap_is_up_to_date
+ - var_sshd_set_keepalive=0
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+
+From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Wed, 8 Jul 2020 15:28:09 +0200
+Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
+
+The zIPL rules are inherited from OSPP profile
+---
+ rhel8/profiles/stig.profile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 8f12852e26..cfc2160be1 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -45,3 +45,7 @@ selections:
+     - rsyslog_remote_tls
+     - rsyslog_remote_tls_cacert
+     - "!ssh_client_rekey_limit"
++
++    # Unselect zIPL rules from OSPP
++    - "!zipl_bls_entries_only"
++    - "!zipl_bootmap_is_up_to_date"
diff --git a/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
new file mode 100644
index 0000000..9154e40
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
@@ -0,0 +1,280 @@
+From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 27 Aug 2020 13:19:01 +0200
+Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
+
+Adds a when clause to Ansible snippets of rules with Package CPE platform.
+
+If the when clause is added, a fact_packages Task needs to added as
+well.
+---
+ ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index a9ef3014ac..597aed5889 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -6,8 +6,7 @@
+ import os.path
+ import re
+ import codecs
+-from collections import defaultdict, namedtuple
+-
++from collections import defaultdict, namedtuple, OrderedDict
+ 
+ import ssg.yaml
+ from . import build_yaml
+@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class):
+         else:
+             return []
+ 
++    def inject_package_facts_task(self, parsed_snippet):
++        """ Injects a package_facts task only if
++            the snippet has a task with a when clause with ansible_facts.packages,
++            and the snippet doesn't already have an package_facts task
++        """
++        has_package_facts_task = False
++        has_ansible_facts_packages_clause = False
++
++        for p_task in parsed_snippet:
++            # We are only interested in the OrderedDicts, which represent Ansible tasks
++            if not isinstance(p_task, dict):
++                continue
++
++            if "package_facts" in p_task:
++                has_package_facts_task = True
++
++            if "ansible_facts.packages" in p_task.get("when", ""):
++                has_ansible_facts_packages_clause = True
++
++        if has_ansible_facts_packages_clause and not has_package_facts_task:
++            facts_task = OrderedDict({'name': 'Gather the package facts',
++                                      'package_facts': {'manager': 'auto'}})
++            parsed_snippet.insert(0, facts_task)
++
+     def update_when_from_rule(self, to_update):
+         additional_when = ""
+-        if self.associated_rule.platform == "machine":
+-            additional_when = ('ansible_virtualization_role != "guest" '
+-                               'or ansible_virtualization_type != "docker"')
++        rule_platform = self.associated_rule.platform
++        if rule_platform == "machine":
++            additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
++        elif rule_platform is not None:
++            # Assume any other platform is a Package CPE
++
++            # It doesn't make sense to add a conditional on the task that
++            # gathers data for the conditional
++            if "package_facts" in to_update:
++                return
++
++            additional_when = '"' + rule_platform + '" in ansible_facts.packages'
++            # After adding the conditional, we need to make sure package_facts are collected.
++            # This is done via inject_package_facts_task()
+         to_update.setdefault("when", "")
+         new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
+         if not new_when:
+@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
+             to_update["when"] = new_when
+ 
+     def update(self, parsed, config):
++        # We split the remediation update in three steps
++
++        # 1. Update the when clause
+         for p in parsed:
+             if not isinstance(p, dict):
+                 continue
+             self.update_when_from_rule(p)
++
++        # 2. Inject any extra task necessary
++        self.inject_package_facts_task(parsed)
++
++        # 3. Add tags to all tasks, including the ones we have injected
++        for p in parsed:
++            if not isinstance(p, dict):
++                continue
+             self.update_tags_from_config(p, config)
+             self.update_tags_from_rule(p)
+ 
+
+From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 27 Aug 2020 17:09:06 +0200
+Subject: [PATCH 2/5] Add inherited_platform to Rule
+
+This field is exported to the rule when it is resolved.
+---
+ ssg/build_yaml.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
+index 4ba114eee4..fe290ffc05 100644
+--- a/ssg/build_yaml.py
++++ b/ssg/build_yaml.py
+@@ -832,6 +832,7 @@ class Rule(object):
+         "conflicts": lambda: list(),
+         "requires": lambda: list(),
+         "platform": lambda: None,
++        "inherited_platforms": lambda: list(),
+         "template": lambda: None,
+     }
+ 
+@@ -851,6 +852,7 @@ def __init__(self, id_):
+         self.requires = []
+         self.conflicts = []
+         self.platform = None
++        self.inherited_platforms = [] # platforms inherited from the group
+         self.template = None
+ 
+     @classmethod
+@@ -1293,6 +1295,9 @@ def _process_rules(self):
+                 continue
+             self.all_rules.add(rule)
+             self.loaded_group.add_rule(rule)
++
++            rule.inherited_platforms.append(self.loaded_group.platform)
++
+             if self.resolved_rules_dir:
+                 output_for_rule = os.path.join(
+                     self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
+
+From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 27 Aug 2020 17:21:35 +0200
+Subject: [PATCH 3/5] Add when clauses for inherited platforms too
+
+Consider the Rule's Group platform while including 'when' clauses to
+Ansible snippets.
+
+Some rules have two platforms, a machine platform and a package
+platform. One of them is represented of the Rule, and the other is
+represented in the Rule's Group.
+
+The platforms are organized like this to due limiation in XCCDF,
+multiple platforms in a Rule are ORed, not ANDed.
+---
+ ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 17 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 597aed5889..a2a996d0af 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
+             if "package_facts" in p_task:
+                 has_package_facts_task = True
+ 
+-            if "ansible_facts.packages" in p_task.get("when", ""):
+-                has_ansible_facts_packages_clause = True
++            # When clause of the task can be string or a list, lets normalize to list
++            task_when = p_task.get("when", "")
++            if type(task_when) is str:
++                task_when = [ task_when ]
++            for when in task_when:
++                if "ansible_facts.packages" in when:
++                    has_ansible_facts_packages_clause = True
+ 
+         if has_ansible_facts_packages_clause and not has_package_facts_task:
+             facts_task = OrderedDict({'name': 'Gather the package facts',
+@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
+             parsed_snippet.insert(0, facts_task)
+ 
+     def update_when_from_rule(self, to_update):
+-        additional_when = ""
+-        rule_platform = self.associated_rule.platform
+-        if rule_platform == "machine":
+-            additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
+-        elif rule_platform is not None:
+-            # Assume any other platform is a Package CPE
+-
+-            # It doesn't make sense to add a conditional on the task that
+-            # gathers data for the conditional
+-            if "package_facts" in to_update:
+-                return
+-
+-            additional_when = '"' + rule_platform + '" in ansible_facts.packages'
+-            # After adding the conditional, we need to make sure package_facts are collected.
+-            # This is done via inject_package_facts_task()
++        additional_when = []
++
++        rule_platforms = set([self.associated_rule.platform] +
++                              self.associated_rule.inherited_platforms)
++
++        for platform in rule_platforms:
++            if platform == "machine":
++                additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
++            elif platform is not None:
++                # Assume any other platform is a Package CPE
++
++                # It doesn't make sense to add a conditional on the task that
++                # gathers data for the conditional
++                if "package_facts" in to_update:
++                    continue
++
++                additional_when.append('"' + platform + '" in ansible_facts.packages')
++                # After adding the conditional, we need to make sure package_facts are collected.
++                # This is done via inject_package_facts_task()
++
+         to_update.setdefault("when", "")
+         new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
+         if not new_when:
+
+From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Mon, 31 Aug 2020 16:06:14 +0200
+Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
+
+Add a quick comment too.
+---
+ ssg/build_remediations.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index a2a996d0af..9e622ef740 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
+     def update_when_from_rule(self, to_update):
+         additional_when = []
+ 
+-        rule_platforms = set([self.associated_rule.platform] +
+-                              self.associated_rule.inherited_platforms)
++        # There can be repeated inherited platforms and rule platforms
++        rule_platforms = set(self.associated_rule.inherited_platforms)
++        rule_platforms.add(self.associated_rule.platform)
+ 
+         for platform in rule_platforms:
+             if platform == "machine":
+
+From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Mon, 31 Aug 2020 16:10:53 +0200
+Subject: [PATCH 5/5] Code style and grammar changes
+
+---
+ ssg/build_remediations.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 9e622ef740..866450dd8c 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
+     def inject_package_facts_task(self, parsed_snippet):
+         """ Injects a package_facts task only if
+             the snippet has a task with a when clause with ansible_facts.packages,
+-            and the snippet doesn't already have an package_facts task
++            and the snippet doesn't already have a package_facts task
+         """
+         has_package_facts_task = False
+         has_ansible_facts_packages_clause = False
+@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
+             # When clause of the task can be string or a list, lets normalize to list
+             task_when = p_task.get("when", "")
+             if type(task_when) is str:
+-                task_when = [ task_when ]
++                task_when = [task_when]
+             for when in task_when:
+                 if "ansible_facts.packages" in when:
+                     has_ansible_facts_packages_clause = True
diff --git a/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
new file mode 100644
index 0000000..f1510d8
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
@@ -0,0 +1,241 @@
+From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 8 Sep 2020 14:36:07 +0200
+Subject: [PATCH 1/5] Align Bash applicability with CPE platform
+
+Wraps the remediation of rules with Packager CPE Platform
+with an if condition that checks for the respective
+platforms's package.
+---
+ ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index ccbdf9fc1f..2d4a805e78 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -27,6 +27,13 @@
+     'kubernetes': '.yml'
+ }
+ 
++PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
++    'apt_get': 'dpkg-query -s {} &>/dev/null',
++    'dnf': 'rpm --quiet -q {}',
++    'yum': 'rpm --quiet -q {}',
++    'zypper': 'rpm --quiet -q {}',
++}
++
+ FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
+ 
+ REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
+@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
+     def __init__(self, file_path):
+         super(BashRemediation, self).__init__(file_path, "bash")
+ 
++    def parse_from_file_with_jinja(self, env_yaml):
++        self.local_env_yaml.update(env_yaml)
++        result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
++
++        # There can be repeated inherited platforms and rule platforms
++        rule_platforms = set(self.associated_rule.inherited_platforms)
++        rule_platforms.add(self.associated_rule.platform)
++
++        platform_conditionals = []
++        for platform in rule_platforms:
++            if platform == "machine":
++                # Based on check installed_env_is_a_container
++                platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
++            elif platform is not None:
++                # Assume any other platform is a Package CPE
++
++                # Some package names are different from the platform names
++                if platform in self.local_env_yaml["platform_package_overrides"]:
++                    platform = self.local_env_yaml["platform_package_overrides"].get(platform)
++
++                # Adjust package check command according to the pkg_manager
++                pkg_manager = self.local_env_yaml["pkg_manager"]
++                pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
++                platform_conditionals.append(pkg_check_command.format(platform))
++
++        if platform_conditionals:
++            platform_fix_text = "# Remediation is applicable only in certain platforms\n"
++
++            cond = platform_conditionals.pop(0)
++            platform_fix_text += "if {}".format(cond)
++            for cond in platform_conditionals:
++                platform_fix_text += " && {}".format(cond)
++            platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
++
++            remediation = namedtuple('remediation', ['contents', 'config'])
++            result = remediation(contents=platform_fix_text, config=result.config)
++
++        return result
+ 
+ class AnsibleRemediation(Remediation):
+     def __init__(self, file_path):
+
+From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 8 Sep 2020 14:41:01 +0200
+Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
+
+Adjust expansion of subs and variables not to remove the whole beginning
+of the fix test. This was removing the package conditional wrapping.
+---
+ ssg/build_remediations.py | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 2d4a805e78..49ec557000 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
+         patcomp = re.compile(pattern, re.DOTALL)
+         fixparts = re.split(patcomp, fix.text)
+         if fixparts[0] is not None:
+-            # Split the portion of fix.text from fix start to first call of
+-            # remediation function, keeping only the third part:
+-            # * tail        to hold part of the fix.text after inclusion,
+-            #               but before first call of remediation function
++            # Split the portion of fix.text at the string remediation_functions,
++            # and remove preceeding comment whenever it is there.
++            # * head        holds part of the fix.text before
++            #               remediation_functions string
++            # * tail        holds part of the fix.text after the
++            #               remediation_functions string
+             try:
+-                rfpattern = '(.*remediation_functions)(.*)'
+-                rfpatcomp = re.compile(rfpattern, re.DOTALL)
+-                _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
++                rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
++                rfpatcomp = re.compile(rfpattern)
++                head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
+             except ValueError:
+                 sys.stderr.write("Processing fix.text for: %s rule\n"
+                                  % fix.get('rule'))
+@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
+                                  "after inclusion of remediation functions."
+                                  " Aborting..\n")
+                 sys.exit(1)
+-            # If the 'tail' is not empty, make it new fix.text.
++            # If the 'head' is not empty, make it new fix.text.
+             # Otherwise use ''
+-            fix.text = tail if tail is not None else ''
++            fix.text = head if head is not None else ''
++            fix.text += tail if tail is not None else ''
+             # Drop the first element of 'fixparts' since it has been processed
+             fixparts.pop(0)
+             # Perform sanity check on new 'fixparts' list content (to continue
+
+From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 8 Sep 2020 20:56:17 +0200
+Subject: [PATCH 3/5] Check if remediation has associated rule before use
+
+---
+ ssg/build_remediations.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 49ec557000..85f7139d8f 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
+         self.local_env_yaml.update(env_yaml)
+         result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+ 
+-        # There can be repeated inherited platforms and rule platforms
+-        rule_platforms = set(self.associated_rule.inherited_platforms)
+-        rule_platforms.add(self.associated_rule.platform)
++        rule_platforms = set()
++        if self.associated_rule:
++            # There can be repeated inherited platforms and rule platforms
++            rule_platforms.update(self.associated_rule.inherited_platforms)
++            rule_platforms.add(self.associated_rule.platform)
+ 
+         platform_conditionals = []
+         for platform in rule_platforms:
+
+From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 10 Sep 2020 10:59:43 +0200
+Subject: [PATCH 4/5] Fix python2 compat and improve code readability
+
+---
+ ssg/build_remediations.py | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 85f7139d8f..673d6d0cc6 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -28,10 +28,10 @@
+ }
+ 
+ PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
+-    'apt_get': 'dpkg-query -s {} &>/dev/null',
+-    'dnf': 'rpm --quiet -q {}',
+-    'yum': 'rpm --quiet -q {}',
+-    'zypper': 'rpm --quiet -q {}',
++    'apt_get': 'dpkg-query -s {0} &>/dev/null',
++    'dnf': 'rpm --quiet -q {0}',
++    'yum': 'rpm --quiet -q {0}',
++    'zypper': 'rpm --quiet -q {0}',
+ }
+ 
+ FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
+@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
+                 platform_conditionals.append(pkg_check_command.format(platform))
+ 
+         if platform_conditionals:
+-            platform_fix_text = "# Remediation is applicable only in certain platforms\n"
++            wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
+ 
+-            cond = platform_conditionals.pop(0)
+-            platform_fix_text += "if {}".format(cond)
+-            for cond in platform_conditionals:
+-                platform_fix_text += " && {}".format(cond)
+-            platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
++            all_conditions = " && ".join(platform_conditionals)
++            wrapped_fix_text.append("if {0}; then".format(all_conditions))
++
++            # Avoid adding extra blank line
++            if not result.contents.startswith("\n"):
++                wrapped_fix_text.append("")
++
++            wrapped_fix_text.append("{0}".format(result.contents))
++            wrapped_fix_text.append("")
++            wrapped_fix_text.append("else")
++            wrapped_fix_text.append("    >&2 echo 'Remediation is not applicable, nothing was done'")
++            wrapped_fix_text.append("fi")
+ 
+             remediation = namedtuple('remediation', ['contents', 'config'])
+-            result = remediation(contents=platform_fix_text, config=result.config)
++            result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
+ 
+         return result
+ 
+
+From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Thu, 10 Sep 2020 17:25:27 +0200
+Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
+
+---
+ ssg/build_remediations.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 673d6d0cc6..f269d4d2d6 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
+             if not result.contents.startswith("\n"):
+                 wrapped_fix_text.append("")
+ 
++            # It is possible to indent the original body of the remediation with textwrap.indent(),
++            # however, it is not supported by python2, and there is a risk of breaking remediations
++            # For example, remediations with a here-doc block could be affected.
+             wrapped_fix_text.append("{0}".format(result.contents))
+             wrapped_fix_text.append("")
+             wrapped_fix_text.append("else")
diff --git a/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
new file mode 100644
index 0000000..d8fc95c
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
@@ -0,0 +1,203 @@
+From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 4 Sep 2020 09:50:54 +0200
+Subject: [PATCH 1/3] Introduce platform_package_overrides
+
+Introduce a mapping of CPE package platform name to a package name.
+
+Each linux distro or version may have its specific name for a package,
+this mapping allows a product to override the package name of a
+platorm.
+
+By default, it assumes that the package name will be the same as the
+platform name.
+---
+ rhel8/product.yml         | 7 +++++++
+ ssg/build_remediations.py | 3 +++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index 6cdc51919e..6b5b4e2748 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
+ 
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  grub2: "grub2-pc"
++  login_defs: "shadow-utils"
++  sssd: "sssd-common"
++  zipl: "s390x-utils"
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 866450dd8c..ccbdf9fc1f 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
+                 if "package_facts" in to_update:
+                     continue
+ 
++                if platform in self.local_env_yaml["platform_package_overrides"]:
++                    platform = self.local_env_yaml["platform_package_overrides"].get(platform)
++
+                 additional_when.append('"' + platform + '" in ansible_facts.packages')
+                 # After adding the conditional, we need to make sure package_facts are collected.
+                 # This is done via inject_package_facts_task()
+
+From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 4 Sep 2020 14:42:57 +0200
+Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
+
+---
+ rhel8/product.yml | 6 ------
+ ssg/constants.py  | 8 ++++++++
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index 6b5b4e2748..d839b23231 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+ 
+-# Mapping of CPE platform to package
+-platform_package_overrides:
+-  grub2: "grub2-pc"
+-  login_defs: "shadow-utils"
+-  sssd: "sssd-common"
+-  zipl: "s390x-utils"
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 3f9d7d37ce..7e9678241c 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -501,6 +501,14 @@
+     "zipl": "cpe:/a:zipl",
+ }
+ 
++# Default platform to package mapping
++XCCDF_PLATFORM_TO_PACKAGE = {
++  "grub2": "grub2-pc",
++  "login_defs": "login",
++  "sssd": "sssd-common",
++  "zipl": "s390x-utils",
++}
++
+ # _version_name_map = {
+ MAKEFILE_ID_TO_PRODUCT_MAP = {
+     'chromium': 'Google Chromium Browser',
+
+From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 4 Sep 2020 14:47:29 +0200
+Subject: [PATCH 3/3] Allow override of default platform package mapping
+
+With default platform to package mappings defined, we need to allow a
+product to override it if needed.
+---
+ rhel6/product.yml   | 4 ++++
+ rhel7/product.yml   | 4 ++++
+ rhel8/product.yml   | 3 +++
+ rhosp10/product.yml | 3 +++
+ rhosp13/product.yml | 4 ++++
+ rhv4/product.yml    | 4 ++++
+ ssg/yaml.py         | 6 +++++-
+ 8 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/rhel6/product.yml b/rhel6/product.yml
+index cc8fa4f8ed..eab9b80c47 100644
+--- a/rhel6/product.yml
++++ b/rhel6/product.yml
+@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
+ 
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/rhel7/product.yml b/rhel7/product.yml
+index f03c928b8f..3ff996b8cc 100644
+--- a/rhel7/product.yml
++++ b/rhel7/product.yml
+@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
+ 
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index d839b23231..f3aa59faec 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+ 
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/rhosp10/product.yml b/rhosp10/product.yml
+index 51d0a932a5..af42ca998d 100644
+--- a/rhosp10/product.yml
++++ b/rhosp10/product.yml
+@@ -10,3 +10,6 @@ pkg_manager: "yum"
+ 
+ init_system: "systemd"
+ 
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/rhosp13/product.yml b/rhosp13/product.yml
+index 5e849ff609..ba42a31cd7 100644
+--- a/rhosp13/product.yml
++++ b/rhosp13/product.yml
+@@ -9,3 +9,7 @@ profiles_root: "./profiles"
+ pkg_manager: "yum"
+ 
+ init_system: "systemd"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/rhv4/product.yml b/rhv4/product.yml
+index 10a2eda079..a61bf1588d 100644
+--- a/rhv4/product.yml
++++ b/rhv4/product.yml
+@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
+ 
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++  login_defs: "shadow-utils"
+diff --git a/ssg/yaml.py b/ssg/yaml.py
+index cefbba374c..22cf5bad66 100644
+--- a/ssg/yaml.py
++++ b/ssg/yaml.py
+@@ -10,7 +10,8 @@
+ 
+ from .jinja import load_macros, process_file
+ from .constants import (PKG_MANAGER_TO_SYSTEM,
+-                        PKG_MANAGER_TO_CONFIG_FILE)
++                        PKG_MANAGER_TO_CONFIG_FILE,
++                        XCCDF_PLATFORM_TO_PACKAGE)
+ from .constants import DEFAULT_UID_MIN
+ 
+ try:
+@@ -138,6 +139,9 @@ def open_raw(yaml_file):
+ 
+ def open_environment(build_config_yaml, product_yaml):
+     contents = open_raw(build_config_yaml)
++    # Load common platform package mappings,
++    # any specific mapping in product_yaml will override the default
++    contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
+     contents.update(open_raw(product_yaml))
+     contents.update(_get_implied_properties(contents))
+     return contents
diff --git a/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
new file mode 100644
index 0000000..2023459
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
@@ -0,0 +1,92 @@
+From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Mon, 21 Sep 2020 10:26:53 +0200
+Subject: [PATCH] Remove zIPL rule for PTI bootloader option
+
+This setting is to mitigate a problem specific for intel archs.
+Also returns the CCE to the pool.
+---
+ .../zipl_pti_argument/rule.yml                | 38 -------------------
+ rhel8/profiles/ospp.profile                   |  1 -
+ rhel8/profiles/stig.profile                   |  1 -
+ .../data/profile_stability/rhel8/ospp.profile |  1 -
+ 4 files changed, 41 deletions(-)
+ delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+deleted file mode 100644
+index 96170e6d85..0000000000
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ /dev/null
+@@ -1,38 +0,0 @@
+-documentation_complete: true
+-
+-prodtype: rhel8
+-
+-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+-
+-description: |-
+-    To enable Kernel page-table isolation,
+-    check that all boot entries in /boot/loader/entries/*.conf have pti=on
+-    included in its options.

+-    To ensure that new kernels and boot entries continue to enable page-table isolation,
+-    add pti=on to /etc/kernel/cmdline.
+-
+-rationale: |-
+-    Kernel page-table isolation is a kernel feature that mitigates
+-    the Meltdown security vulnerability and hardens the kernel
+-    against attempts to bypass kernel address space layout
+-    randomization (KASLR).
+-
+-severity: medium
+-
+-identifiers:
+-    cce@rhel8: 83361-6
+-
+-ocil_clause: 'Kernel page-table isolation is not enabled'
+-
+-ocil: |-
+-  To check that page-table isolation is enabled at boot time, check all boot entries with following command:
+-  
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf

+-  No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+-
+-platform: machine
+-
+-template:
+-  name: zipl_bls_entries_option
+-  vars:
+-    arg_name: pti
+-    arg_value: 'on'
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 5e81e4a92a..46f00c89f1 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -426,4 +426,3 @@ selections:
+     - zipl_vsyscall_argument
+     - zipl_vsyscall_argument.role=unscored
+     - zipl_vsyscall_argument.severity=info
+-    - zipl_pti_argument
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 53647475aa..817d5dbadd 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -52,7 +52,6 @@ selections:
+     - "!zipl_audit_argument"
+     - "!zipl_audit_backlog_limit_argument"
+     - "!zipl_page_poison_argument"
+-    - "!zipl_pti_argument"
+     - "!zipl_slub_debug_argument"
+     - "!zipl_vsyscall_argument"
+     - "!zipl_vsyscall_argument.role=unscored"
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 7b7307cba8..223b1423cd 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -219,7 +219,6 @@ selections:
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
+ - zipl_page_poison_argument
+-- zipl_pti_argument
+ - zipl_slub_debug_argument
+ - zipl_vsyscall_argument
+ - var_sshd_set_keepalive=0
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
new file mode 100644
index 0000000..0199bf4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
@@ -0,0 +1,49 @@
+From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Fri, 9 Oct 2020 09:30:35 +0200
+Subject: [PATCH] Do not platform wrap empty Bash remediation
+
+The fix text for a rule can end up empty if a Jinja macro or conditional
+doesn't render any text.
+In these cases, avoid wrapping empty lines in an if-else, as this causes
+syntax error.
+---
+ ssg/build_remediations.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index f269d4d2d6..572db61701 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
+         self.local_env_yaml.update(env_yaml)
+         result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+ 
++        # Avoid platform wrapping empty fix text
++        # Remediations can be empty when a Jinja macro or conditional
++        # renders no fix text for a product
++        stripped_fix_text = result.contents.strip()
++        if stripped_fix_text == "":
++            return result
++
+         rule_platforms = set()
+         if self.associated_rule:
+             # There can be repeated inherited platforms and rule platforms
+@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
+ 
+             all_conditions = " && ".join(platform_conditionals)
+             wrapped_fix_text.append("if {0}; then".format(all_conditions))
+-
+-            # Avoid adding extra blank line
+-            if not result.contents.startswith("\n"):
+-                wrapped_fix_text.append("")
+-
++            wrapped_fix_text.append("")
+             # It is possible to indent the original body of the remediation with textwrap.indent(),
+             # however, it is not supported by python2, and there is a risk of breaking remediations
+             # For example, remediations with a here-doc block could be affected.
+-            wrapped_fix_text.append("{0}".format(result.contents))
++            wrapped_fix_text.append("{0}".format(stripped_fix_text))
+             wrapped_fix_text.append("")
+             wrapped_fix_text.append("else")
+             wrapped_fix_text.append("    >&2 echo 'Remediation is not applicable, nothing was done'")
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
new file mode 100644
index 0000000..83df4d6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
@@ -0,0 +1,116 @@
+From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Mon, 5 Oct 2020 16:40:39 +0200
+Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc
+
+Check for grub2 intallation based on grub2-common.
+grub2-pc is a x86_64 package, but other arches use grub2 as well.
+---
+ .../checks/oval/installed_env_has_grub2_package.xml  | 12 ++++++------
+ ssg/constants.py                                     |  2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
+index e83f45bc3b..2a170d668e 100644
+--- a/shared/checks/oval/installed_env_has_grub2_package.xml
++++ b/shared/checks/oval/installed_env_has_grub2_package.xml
+@@ -6,31 +6,31 @@
+       
+         multi_platform_all
+       
+-      Checks if package grub2-pc is installed.
++      Checks if package grub2-common is installed.
+       
+     
+     
+-      
++      
+     
+   
+ 
+ {{% if pkg_system == "rpm" %}}
+   
++  comment="system has package grub2-common installed">
+     
+   
+   
+-    grub2-pc
++    grub2-common
+   
+ {{% elif pkg_system == "dpkg" %}}
+   
++  comment="system has package grub2-common installed">
+     
+   
+   
+-    grub2-pc
++    grub2-common
+   
+ {{% endif %}}
+ 
+diff --git a/ssg/constants.py b/ssg/constants.py
+index b07fe5f0fe..88316374b5 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -468,7 +468,7 @@
+ 
+ # Default platform to package mapping
+ XCCDF_PLATFORM_TO_PACKAGE = {
+-  "grub2": "grub2-pc",
++  "grub2": "grub2-common",
+   "login_defs": "login",
+   "sssd": "sssd-common",
+   "zipl": "s390utils-base",
+
+From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Mon, 5 Oct 2020 16:49:15 +0200
+Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le
+
+ppc64le systems can use Grub2 or OPAL and the package set will be the
+same in both cases.
+Add a few more checks to make sure ppc64le arch is handled correctly.
+---
+ .../oval/installed_env_has_grub2_package.xml  | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
+index 2a170d668e..fb2c9cc784 100644
+--- a/shared/checks/oval/installed_env_has_grub2_package.xml
++++ b/shared/checks/oval/installed_env_has_grub2_package.xml
+@@ -9,8 +9,18 @@
+       Checks if package grub2-common is installed.
+       
+     
+-    
++    
+       
++      
++        
++        
++        
++        
++        
++      
+     
+   
+ 
+@@ -34,4 +44,11 @@
+   
+ {{% endif %}}
+ 
++  
++    
++  
++  
++    /sys/firmware/opal
++  
++
+ 
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
new file mode 100644
index 0000000..8c84ee4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
@@ -0,0 +1,38 @@
+From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 8 Sep 2020 11:29:57 +0200
+Subject: [PATCH] Fix load of product platform mapping
+
+The product specific mappings were overriding the common mappings,
+instead of being merged with them.
+---
+ ssg/yaml.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/yaml.py b/ssg/yaml.py
+index 22cf5bad66..d8856e52c9 100644
+--- a/ssg/yaml.py
++++ b/ssg/yaml.py
+@@ -13,6 +13,7 @@
+                         PKG_MANAGER_TO_CONFIG_FILE,
+                         XCCDF_PLATFORM_TO_PACKAGE)
+ from .constants import DEFAULT_UID_MIN
++from .utils import merge_dicts
+ 
+ try:
+     from yaml import CSafeLoader as yaml_SafeLoader
+@@ -139,10 +140,11 @@ def open_raw(yaml_file):
+ 
+ def open_environment(build_config_yaml, product_yaml):
+     contents = open_raw(build_config_yaml)
+-    # Load common platform package mappings,
+-    # any specific mapping in product_yaml will override the default
+-    contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
+     contents.update(open_raw(product_yaml))
++    platform_package_overrides = contents.get("platform_package_overrides", {})
++    # Merge common platform package mappings, while keeping product specific mappings
++    contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE,
++                                                         platform_package_overrides)
+     contents.update(_get_implied_properties(contents))
+     return contents
+ 
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
new file mode 100644
index 0000000..fc1fecd
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
@@ -0,0 +1,22 @@
+From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 29 Sep 2020 15:28:02 +0200
+Subject: [PATCH] Fix zIPL package mapping
+
+---
+ ssg/constants.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 0eca2f4f95..fa6c756ff6 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -470,7 +470,7 @@
+   "grub2": "grub2-pc",
+   "login_defs": "login",
+   "sssd": "sssd-common",
+-  "zipl": "s390x-utils",
++  "zipl": "s390utils-base",
+ }
+ 
+ # _version_name_map = {
diff --git a/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
new file mode 100644
index 0000000..20310cb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
@@ -0,0 +1,16 @@
+From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001
+From: Watson Sato 
+Date: Tue, 29 Sep 2020 15:04:39 +0200
+Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group
+
+This will put the rule under grub2 platform, so the rule is only
+applicable on a machine system with grub2.
+---
+ .../grub2_vsyscall_argument/rule.yml                              | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+similarity index 100%
+rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml
+rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index e098e0d..8430bd2 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.50
-Release:	14%{?dist}
+Release:	16%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 Group:		Applications/System
 License:	BSD
@@ -35,6 +35,23 @@ Patch23:		scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_58
 Patch24:		scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
 Patch25:		scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
 Patch26:		scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
+Patch27:		scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
+Patch28:		scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
+Patch29:		scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
+Patch30:		scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
+Patch31:		scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
+Patch32:		scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
+Patch33:		scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
+# To ease backport, patch 33 also includes changes from #5995
+Patch34:		scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
+Patch35:		scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
+Patch36:		scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
+Patch37:		scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
+Patch38:		scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
+Patch39:		scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
+Patch40:		scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
+Patch41:		scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
+Patch42:		scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
 
 BuildArch:	noarch
 
@@ -96,6 +113,22 @@ present in %{name} package.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
 mkdir build
 
 %build
@@ -130,6 +163,13 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Fri Oct 09 2020 Watson Sato  - 0.1.50-16
+- Fix Bash platform in empty remediations (rhbz#1886318)
+
+* Tue Oct 06 2020 Watson Sato  - 0.1.50-15
+- Add and select zIPL bootloader rules in OSPP (rhbz#1886318)
+- Add support for remediation platforms
+
 * Wed Sep 02 2020 Matěj Týč  - 0.1.50-14
 - Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)