diff --git a/.gitignore b/.gitignore
index 573eb37..3e926eb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.50.tar.bz2
+SOURCES/scap-security-guide-0.1.53.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index d7de47e..d061d4f 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2
+86a00c7cf51695c4718329590af7f9f599312dda SOURCES/scap-security-guide-0.1.53.tar.bz2
diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch
index 80b2a96..fdd5c66 100644
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@@ -1,24 +1,27 @@
-From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
+From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
-Date: Fri, 17 Jan 2020 19:01:22 +0100
+Date: Thu, 3 Dec 2020 14:35:47 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
-They raise too many errors and fails.
-Also disable tables for profiles that are not built.
---
- rhel8/CMakeLists.txt | 2 --
- rhel8/profiles/cjis.profile | 2 +-
- rhel8/profiles/rhelh-stig.profile | 2 +-
- rhel8/profiles/rhelh-vpp.profile | 2 +-
- rhel8/profiles/rht-ccp.profile | 2 +-
- rhel8/profiles/standard.profile | 2 +-
- 9 files changed, 8 insertions(+), 10 deletions(-)
+ rhel8/CMakeLists.txt | 6 ------
+ rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
+ rhel8/profiles/anssi_bp28_high.profile | 2 +-
+ rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
+ rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
+ rhel8/profiles/cjis.profile | 2 +-
+ rhel8/profiles/ism_o.profile | 2 +-
+ rhel8/profiles/rhelh-stig.profile | 2 +-
+ rhel8/profiles/rhelh-vpp.profile | 2 +-
+ rhel8/profiles/rht-ccp.profile | 2 +-
+ rhel8/profiles/standard.profile | 2 +-
+ 11 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
-index 40f2b2b0f..492a8dae1 100644
+index d61689c97..5e444a101 100644
--- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt
-@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
+@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
@@ -26,18 +29,74 @@ index 40f2b2b0f..492a8dae1 100644
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
- # Uncomment when anssi profiles are marked documentation_complete: true
- #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+-
+ ssg_build_html_cce_table(${PRODUCT})
+
+ ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
+index e7e2f2875..75b1f4153 100644
+--- a/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+
+ title: 'ANSSI BP-028 (enhanced)'
+
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index ccad93d67..6a854378c 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+
+ title: 'ANSSI BP-028 (high)'
+
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index 638e60e0e..55ef4d680 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+
+ title: 'ANSSI BP-028 (intermediary)'
+
+diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
+index 45cbba8f3..468c20adf 100644
+--- a/rhel8/profiles/anssi_bp28_minimal.profile
++++ b/rhel8/profiles/anssi_bp28_minimal.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+
+ title: 'ANSSI BP-028 (minimal)'
+
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
-index 05ea9cdd6..9c55ac5b1 100644
+index 035d2705b..c6475f33e 100644
--- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
- title: 'Criminal Justice Information Services (CJIS) Security Policy'
+ metadata:
+ version: 5.4
+diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
+index a3c427c01..4605dea3b 100644
+--- a/rhel8/profiles/ism_o.profile
++++ b/rhel8/profiles/ism_o.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ metadata:
+ SMEs:
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
@@ -79,5 +138,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
-2.21.1
+2.26.2
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
deleted file mode 100644
index e859c54..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 12 May 2020 08:17:20 +0200
-Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
-
----
- .../ansible/shared.yml | 33 +++++++++++++++++++
- 1 file changed, 33 insertions(+)
- create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
-
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
-new file mode 100644
-index 0000000000..5d76b3c073
---- /dev/null
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
-@@ -0,0 +1,33 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+
-+- name: Configure daily log rotation in /etc/logrotate.conf
-+ lineinfile:
-+ create: yes
-+ dest: "/etc/logrotate.conf"
-+ regexp: "^daily$"
-+ line: "daily"
-+
-+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
-+ lineinfile:
-+ create: no
-+ dest: "/etc/logrotate.conf"
-+ regexp: "^(weekly|monthly|yearly)$"
-+ state: absent
-+
-+- name: Configure cron.daily if not already
-+ block:
-+ - name: Add shebang
-+ lineinfile:
-+ path: "/etc/cron.daily/logrotate"
-+ line: "#!/bin/sh"
-+ insertbefore: BOF
-+ create: yes
-+ - name: Add logrotate call
-+ lineinfile:
-+ path: "/etc/cron.daily/logrotate"
-+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
-+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
-
-From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 12 May 2020 14:48:15 +0200
-Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
-
-Test scenario when monthly is there, but weekly is not.
----
- .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
- 1 file changed, 4 insertions(+)
- create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
-
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
-new file mode 100644
-index 0000000000..b10362989b
---- /dev/null
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+sed -i "s/weekly/daily/g" /etc/logrotate.conf
-+echo "monthly" >> /etc/logrotate.conf
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
deleted file mode 100644
index a864ebf..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Wed, 13 May 2020 20:49:08 +0200
-Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
-
----
- .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
- .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
- 2 files changed, 22 insertions(+)
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..a816eea390
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
-@@ -0,0 +1,11 @@
-+# profiles = xccdf_org.ssgproject.content_profile_cis
-+# platform = Red Hat Enterprise Linux 8
-+
-+#!/bin/bash
-+SSHD_CONFIG="/etc/ssh/sshd_config"
-+
-+if grep -q "^MaxSessions" $SSHD_CONFIG; then
-+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
-+ else
-+ echo "MaxSessions 4" >> $SSHD_CONFIG
-+fi
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..b36125f5bb
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-@@ -0,0 +1,11 @@
-+# profiles = xccdf_org.ssgproject.content_profile_cis
-+# platform = Red Hat Enterprise Linux 8
-+
-+#!/bin/bash
-+SSHD_CONFIG="/etc/ssh/sshd_config"
-+
-+if grep -q "^MaxSessions" $SSHD_CONFIG; then
-+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
-+ else
-+ echo "MaxSessions 10" >> $SSHD_CONFIG
-+fi
-
-From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Wed, 13 May 2020 20:53:50 +0200
-Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
-
----
- .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
- .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
- .../tests/correct_value.pass.sh | 2 +-
- .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
- 4 files changed, 22 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
-new file mode 100644
-index 0000000000..a7e171dfe9
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
-@@ -0,0 +1,8 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+- (xccdf-var var_sshd_max_sessions)
-+
-+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-new file mode 100644
-index 0000000000..fc0a1d8b42
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-@@ -0,0 +1,12 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+populate var_sshd_max_sessions
-+
-+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
-index a816eea390..4cc6d65988 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
-@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
- if grep -q "^MaxSessions" $SSHD_CONFIG; then
- sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
- else
-- echo "MaxSessions 4" >> $SSHD_CONFIG
-+ echo "MaxSessions 4" >> $SSHD_CONFIG
- fi
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-index b36125f5bb..bc0c47842a 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
-@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
- if grep -q "^MaxSessions" $SSHD_CONFIG; then
- sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
- else
-- echo "MaxSessions 10" >> $SSHD_CONFIG
-+ echo "MaxSessions 10" >> $SSHD_CONFIG
- fi
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
deleted file mode 100644
index ff529ca..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 11:52:35 +0200
-Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
-
-Very likey a copy-pasta error from bash remediation for
-audit_rules_immutable
----
- .../audit_rules_system_shutdown/bash/shared.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-index 1c9748ce9b..b56513cdcd 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-@@ -8,7 +8,7 @@
- # files to check if '-f .*' setting is present in that '*.rules' file already.
- # If found, delete such occurrence since auditctl(8) manual page instructs the
- # '-f 2' rule should be placed as the last rule in the configuration
--find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
-+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-
- # Append '-f 2' requirement at the end of both:
- # * /etc/audit/audit.rules file (for auditctl case)
-
-From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 12:12:21 +0200
-Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
-
-Along with very basic test scenarios
----
- .../ansible/shared.yml | 28 +++++++++++++++++++
- .../tests/augen_correct.pass.sh | 4 +++
- .../tests/augen_e_2_immutable.fail.sh | 3 ++
- 3 files changed, 35 insertions(+)
- create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
- create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
- create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
-new file mode 100644
-index 0000000000..b9e8fa87fa
---- /dev/null
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
-@@ -0,0 +1,28 @@
-+# platform = multi_platform_all
-+# reboot = true
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-+
-+- name: Collect all files from /etc/audit/rules.d with .rules extension
-+ find:
-+ paths: "/etc/audit/rules.d/"
-+ patterns: "*.rules"
-+ register: find_rules_d
-+
-+- name: Remove the -f option from all Audit config files
-+ lineinfile:
-+ path: "{{ item }}"
-+ regexp: '^\s*(?:-f)\s+.*$'
-+ state: absent
-+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-+
-+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
-+ lineinfile:
-+ path: "{{ item }}"
-+ create: True
-+ line: "-f 2"
-+ loop:
-+ - "/etc/audit/audit.rules"
-+ - "/etc/audit/rules.d/immutable.rules"
-+
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
-new file mode 100644
-index 0000000000..0587b937e0
---- /dev/null
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+echo "-e 2" > /etc/audit/rules.d/immutable.rules
-+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
-new file mode 100644
-index 0000000000..fa5b7231df
---- /dev/null
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+echo "-e 2" > /etc/audit/rules.d/immutable.rules
-
-From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 14:06:08 +0200
-Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
-
----
- .../audit_rules_immutable/ansible/shared.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
-index 5ac7b3dabb..1cafb744cc 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
-@@ -17,7 +17,7 @@
- state: absent
- loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-
--- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
-+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
- lineinfile:
- path: "{{ item }}"
- create: True
-
-From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 11:02:56 +0200
-Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
-
----
- .../audit_rules_system_shutdown/bash/shared.sh | 8 --------
- 1 file changed, 8 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-index b56513cdcd..a349bb1ca1 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
-@@ -4,16 +4,8 @@
- #
- # /etc/audit/audit.rules, (for auditctl case)
- # /etc/audit/rules.d/*.rules (for augenrules case)
--#
--# files to check if '-f .*' setting is present in that '*.rules' file already.
--# If found, delete such occurrence since auditctl(8) manual page instructs the
--# '-f 2' rule should be placed as the last rule in the configuration
- find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-
--# Append '-f 2' requirement at the end of both:
--# * /etc/audit/audit.rules file (for auditctl case)
--# * /etc/audit/rules.d/immutable.rules (for augenrules case)
--
- for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
- do
- echo '' >> $AUDIT_FILE
diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
deleted file mode 100644
index 2b5acdc..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 21 May 2020 18:16:43 +0200
-Subject: [PATCH] Attribute content to CIS
-
-And update the description a bit.
----
- rhel7/profiles/cis.profile | 8 +++++---
- rhel8/profiles/cis.profile | 8 +++++---
- 2 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
-index 0826a49547..829c388133 100644
---- a/rhel7/profiles/cis.profile
-+++ b/rhel7/profiles/cis.profile
-@@ -3,9 +3,11 @@ documentation_complete: true
- title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
-
- description: |-
-- This baseline aligns to the Center for Internet Security
-- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
-- 12-27-2017.
-+ This profile defines a baseline that aligns to the Center for Internet Security®
-+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
-+
-+ This profile includes Center for Internet Security®
-+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
-
- selections:
- # Necessary for dconf rules
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index f332ee5462..868b9f21a6 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -3,9 +3,11 @@ documentation_complete: true
- title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
-
- description: |-
-- This baseline aligns to the Center for Internet Security
-- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
-- 09-30-2019.
-+ This profile defines a baseline that aligns to the Center for Internet Security®
-+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
-+
-+ This profile includes Center for Internet Security®
-+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
-
- selections:
- # Necessary for dconf rules
diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
deleted file mode 100644
index 3c4f3b1..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
+++ /dev/null
@@ -1,274 +0,0 @@
-From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 25 May 2020 12:17:48 +0200
-Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
-
----
- rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
- rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
- 2 files changed, 250 insertions(+)
- create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
- create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
-
-diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
-new file mode 100644
-index 0000000000..14c82c4231
---- /dev/null
-+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
-@@ -0,0 +1,125 @@
-+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
-+# Version: 0.0.1
-+# Date: 2020-05-25
-+#
-+# Based on:
-+# http://fedoraproject.org/wiki/Anaconda/Kickstart
-+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
-+
-+# Install a fresh new system (optional)
-+install
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot enable device at a boot time
-+# --device device to be activated and / or configured with the network command
-+# --bootproto method to obtain networking configuration for device (default dhcp)
-+# --noipv6 disable IPv6 on this device
-+#
-+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
-+# "--bootproto=static" must be used. For example:
-+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
-+#
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled reject incoming connections that are not in response to outbound requests
-+# --ssh allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# Set up the authentication options for the system (required)
-+# --enableshadow enable shadowed passwords by default
-+# --passalgo hash / crypt algorithm for new passwords
-+# See the manual page for authconfig for a complete list of possible options.
-+authconfig --enableshadow --passalgo=sha512
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux erase all Linux partitions
-+# --initlabel initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# Harden installation with HIPAA profile
-+# For more details and configuration options see command %addon org_fedora_oscap in
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
-+%addon org_fedora_oscap
-+ content-type = scap-security-guide
-+ profile = xccdf_org.ssgproject.content_profile_hipaa
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+
-+# Require @Base
-+@Base
-+
-+%end # End of %packages section
-+
-+# Reboot after the installation is complete (optional)
-+# --eject attempt to eject CD or DVD media before rebooting
-+reboot --eject
-diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
-new file mode 100644
-index 0000000000..861db36f18
---- /dev/null
-+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
-@@ -0,0 +1,125 @@
-+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
-+# Version: 0.0.1
-+# Date: 2020-05-25
-+#
-+# Based on:
-+# http://fedoraproject.org/wiki/Anaconda/Kickstart
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
-+
-+# Install a fresh new system (optional)
-+install
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
-+#
-+
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot enable device at a boot time
-+# --device device to be activated and / or configured with the network command
-+# --bootproto method to obtain networking configuration for device (default dhcp)
-+# --noipv6 disable IPv6 on this device
-+#
-+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
-+# "--bootproto=static" must be used. For example:
-+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
-+#
-+network --onboot yes --device eth0 --bootproto dhcp --noipv6
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled reject incoming connections that are not in response to outbound requests
-+# --ssh allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# Set up the authentication options for the system (required)
-+# sssd profile sets sha512 to hash passwords
-+# passwords are shadowed by default
-+# See the manual page for authselect-profile for a complete list of possible options.
-+authselect select sssd
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Plaintext password is: password
-+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
-+# encrypted password form for different plaintext password
-+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux erase all Linux partitions
-+# --initlabel initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+autopart
-+
-+# Harden installation with HIPAA profile
-+# For more details and configuration options see
-+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
-+%addon org_fedora_oscap
-+ content-type = scap-security-guide
-+ profile = xccdf_org.ssgproject.content_profile_hipaa
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+
-+# Require @Base
-+@Base
-+
-+%end # End of %packages section
-+
-+# Reboot after the installation is complete (optional)
-+# --eject attempt to eject CD or DVD media before rebooting
-+reboot --eject
diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
deleted file mode 100644
index e6dc9cb..0000000
--- a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 22 May 2020 14:12:18 +0200
-Subject: [PATCH] Add missing CCEs for RHEL8
-
----
- .../password_storage/no_netrc_files/rule.yml | 1 +
- .../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
- .../file_groupownership_home_directories/rule.yml | 1 +
- shared/references/cce-redhat-avail.txt | 3 ---
- 4 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-index 8547893201..1bd1f5742e 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-@@ -18,6 +18,7 @@ severity: medium
- identifiers:
- cce@rhel6: 27225-2
- cce@rhel7: 80211-6
-+ cce@rhel8: 83444-0
- cce@ocp4: 82667-7
-
- references:
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-index bedf3a0b19..e69bc9d736 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-@@ -21,6 +21,7 @@ severity: medium
-
- identifiers:
- cce@rhel7: 80529-1
-+ cce@rhel8: 83424-2
-
- references:
- stigid@ol7: "020620"
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-index 1c5ac8d099..f931f6d160 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-@@ -20,6 +20,7 @@ severity: medium
-
- identifiers:
- cce@rhel7: 80532-5
-+ cce@rhel8: 83434-1
-
- references:
- stigid@ol7: "020650"
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 2f0d2a526b..45d03a2c1d 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -95,7 +95,6 @@ CCE-83411-9
- CCE-83421-8
- CCE-83422-6
- CCE-83423-4
--CCE-83424-2
- CCE-83425-9
- CCE-83426-7
- CCE-83427-5
-@@ -105,7 +104,6 @@ CCE-83430-9
- CCE-83431-7
- CCE-83432-5
- CCE-83433-3
--CCE-83434-1
- CCE-83435-8
- CCE-83436-6
- CCE-83437-4
-@@ -115,7 +113,6 @@ CCE-83440-8
- CCE-83441-6
- CCE-83442-4
- CCE-83443-2
--CCE-83444-0
- CCE-83445-7
- CCE-83446-5
- CCE-83447-3
diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
deleted file mode 100644
index b435b97..0000000
--- a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 21 May 2020 13:30:24 +0200
-Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
-
----
- .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
-index e9a29a24d5..6fbb7c72a5 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
-@@ -3,13 +3,9 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- name: Test for existence of /etc/securetty
-- stat:
-- path: /etc/securetty
-- register: securetty_empty
-+
-
- - name: "Direct root Logins Not Allowed"
- copy:
- dest: /etc/securetty
- content: ""
-- when: securetty_empty.stat.size > 1
-
-From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 21 May 2020 14:21:38 +0200
-Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
-
----
- shared/templates/template_ANSIBLE_sebool | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
-index 29f37081be..38d7c7c350 100644
---- a/shared/templates/template_ANSIBLE_sebool
-+++ b/shared/templates/template_ANSIBLE_sebool
-@@ -13,11 +13,17 @@
- {{% else %}}
- - (xccdf-var var_{{{ SEBOOLID }}})
-
-+{{% if product == "rhel8" %}}
-+- name: Ensure python3-libsemanage installed
-+ package:
-+ name: python3-libsemanage
-+ state: present
-+{{% else %}}
- - name: Ensure libsemanage-python installed
- package:
- name: libsemanage-python
- state: present
--
-+{{% endif %}}
- - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
- seboolean:
- name: {{{ SEBOOLID }}}
-
-From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 21 May 2020 14:57:05 +0200
-Subject: [PATCH 3/3] add tests for no_direct_root_logins
-
----
- .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
- .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
- .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
- 3 files changed, 9 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..17251f6a98
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+echo > /etc/securetty
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
-new file mode 100644
-index 0000000000..c764814b26
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+rm -f /etc/securetty
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
-new file mode 100644
-index 0000000000..43ac341e87
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+echo "something" > /etc/securetty
diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
deleted file mode 100644
index 5c6664f..0000000
--- a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
+++ /dev/null
@@ -1,308 +0,0 @@
-From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 26 May 2020 17:49:21 +0200
-Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
-
-Affected rules:
- - selinux_policytype
- - selinux_state
----
- .../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
- .../selinux/selinux_policytype/bash/shared.sh | 5 +++--
- .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
- .../selinux/selinux_state/ansible/shared.yml | 9 ++-------
- .../system/selinux/selinux_state/bash/shared.sh | 5 +++--
- .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
- .../tests/selinux_permissive.fail.sh | 10 ++++++++++
- shared/macros-ansible.jinja | 11 +++++++++++
- shared/macros-bash.jinja | 15 +++++++++++++++
- 9 files changed, 61 insertions(+), 18 deletions(-)
- create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
- create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
- create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
-
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-index 5c70cc9f7f..9f8cf66dfb 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-@@ -3,11 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
- - (xccdf-var var_selinux_policy_name)
-
--- name: "{{{ rule_title }}}"
-- lineinfile:
-- path: /etc/sysconfig/selinux
-- regexp: '^SELINUXTYPE='
-- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
-- create: yes
-+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-index d0fbbf4446..2b5ce31b12 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-@@ -1,7 +1,8 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
--#
-+
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
-+
- populate var_selinux_policy_name
-
--replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
-+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
-new file mode 100644
-index 0000000000..1a6eb94953
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-+
-+SELINUX_FILE='/etc/selinux/config'
-+
-+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
-+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-+else
-+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-+fi
-diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
-index b465ac6729..1c1560a86c 100644
---- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
-+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
-@@ -3,11 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
- - (xccdf-var var_selinux_state)
-
--- name: "{{{ rule_title }}}"
-- lineinfile:
-- path: /etc/sysconfig/selinux
-- regexp: '^SELINUX='
-- line: "SELINUX={{ var_selinux_state }}"
-- create: yes
-+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
-diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-index 58193b5504..a402a861d7 100644
---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-@@ -1,10 +1,11 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
--#
-+
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
-+
- populate var_selinux_state
-
--replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
-+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
-
- fixfiles onboot
- fixfiles -f relabel
-diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
-new file mode 100644
-index 0000000000..180dd80791
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-+
-+SELINUX_FILE='/etc/selinux/config'
-+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
-diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
-new file mode 100644
-index 0000000000..3db1e56b5f
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-+
-+SELINUX_FILE='/etc/selinux/config'
-+
-+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
-+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
-+else
-+ echo 'SELINUX=permissive' >> $SELINUX_FILE
-+fi
-diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
-index 6798a25d1f..01d3155b37 100644
---- a/shared/macros-ansible.jinja
-+++ b/shared/macros-ansible.jinja
-@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
- {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
- {{%- endmacro %}}
-
-+{{#
-+ High level macro to set a parameter in /etc/selinux/config.
-+ Parameters:
-+ - msg: the name for the Ansible task
-+ - parameter: parameter to be set in the configuration file
-+ - value: value of the parameter
-+#}}
-+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
-+{{%- endmacro %}}
-+
- {{#
- Generates an Ansible task that puts 'contents' into a file at 'filepath'
- Parameters:
-diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
-index 3a94fe5dd8..2531d1c52d 100644
---- a/shared/macros-bash.jinja
-+++ b/shared/macros-bash.jinja
-@@ -86,6 +86,21 @@ populate {{{ name }}}
- }}}
- {{%- endmacro -%}}
-
-+{{%- macro bash_selinux_config_set(parameter, value) -%}}
-+{{{ set_config_file(
-+ path="/etc/selinux/config",
-+ parameter=parameter,
-+ value=value,
-+ create=true,
-+ insert_after="",
-+ insert_before="",
-+ insensitive=true,
-+ separator="=",
-+ separator_regex="\s*=\s*",
-+ prefix_regex="^\s*")
-+ }}}
-+{{%- endmacro -%}}
-+
- {{#
- # Install a package
- # Uses the right command based on pkg_manger proprerty defined in product.yaml.
-
-From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 27 May 2020 18:48:57 +0200
-Subject: [PATCH 2/2] Remediation requires reboot.
-
-Update OVAL check to disallow spaces.
-Removed selinuxtype_minimum test scenario since breaks the system.
----
- .../selinux/selinux_policytype/ansible/shared.yml | 2 +-
- .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
- .../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
- .../tests/selinuxtype_minimum.fail.sh | 10 ----------
- .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
- .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
- shared/macros-ansible.jinja | 2 +-
- shared/macros-bash.jinja | 4 ++--
- 8 files changed, 14 insertions(+), 16 deletions(-)
- delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
-
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-index 9f8cf66dfb..73e6ec7cd4 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
-@@ -1,5 +1,5 @@
- # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
--# reboot = false
-+# reboot = true
- # strategy = restrict
- # complexity = low
- # disruption = low
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-index 2b5ce31b12..b4f79c97f9 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-@@ -1,4 +1,8 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-+# reboot = true
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-index f1840a1290..3d69fff07f 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-@@ -27,7 +27,7 @@
-
- <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
- <ind:filepath>/etc/selinux/config</ind:filepath>
-- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
-+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- </def-group>
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
-deleted file mode 100644
-index 1a6eb94953..0000000000
---- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
-+++ /dev/null
-@@ -1,10 +0,0 @@
--#!/bin/bash
--# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
--
--SELINUX_FILE='/etc/selinux/config'
--
--if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
-- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
--else
-- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
--fi
-diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-index a402a861d7..645a7acab4 100644
---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-@@ -1,4 +1,8 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-+# reboot = true
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
-diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-index c0881696e1..8c328060af 100644
---- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-@@ -18,7 +18,7 @@
-
- <ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
- <ind:filepath>/etc/selinux/config</ind:filepath>
-- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
-diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
-index 01d3155b37..580a0b948e 100644
---- a/shared/macros-ansible.jinja
-+++ b/shared/macros-ansible.jinja
-@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
- - value: value of the parameter
- #}}
- {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
--{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
-+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
- {{%- endmacro %}}
-
- {{#
-diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
-index 2531d1c52d..8abcc914d3 100644
---- a/shared/macros-bash.jinja
-+++ b/shared/macros-bash.jinja
-@@ -96,8 +96,8 @@ populate {{{ name }}}
- insert_before="",
- insensitive=true,
- separator="=",
-- separator_regex="\s*=\s*",
-- prefix_regex="^\s*")
-+ separator_regex="=",
-+ prefix_regex="^")
- }}}
- {{%- endmacro -%}}
-
diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
deleted file mode 100644
index 1e028b7..0000000
--- a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 23:36:18 +0200
-Subject: [PATCH] Ansible mount_option: split mount and option task
-
-Separate task that adds mount options mounts the mountpoint into two tasks.
-Conditioning the "mount" task on the absence of the target mount option
-caused the task to always be skipped when mount option was alredy present,
-and could result in the mount point not being mounted.
----
- shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
-index 95bede25f9..a0cf8d6b7a 100644
---- a/shared/templates/template_ANSIBLE_mount_option
-+++ b/shared/templates/template_ANSIBLE_mount_option
-@@ -26,14 +26,19 @@
- - device_name.stdout is defined and device_name.stdout_lines is defined
- - (device_name.stdout | length > 0)
-
--- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
-+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
-+ set_fact:
-+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
-+ when:
-+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
-+
-+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
- mount:
- path: "{{{ MOUNTPOINT }}}"
- src: "{{ mount_info.source }}"
-- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
-+ opts: "{{ mount_info.options }}"
- state: "mounted"
- fstype: "{{ mount_info.fstype }}"
- when:
-- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
- - device_name.stdout is defined
- - (device_name.stdout | length > 0)
diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
deleted file mode 100644
index 47b9cdb..0000000
--- a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 14 May 2020 16:46:07 +0200
-Subject: [PATCH] reorder groups because of permissions verification
-
----
- ssg/build_yaml.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
-index e3e138283c..c9f3179c08 100644
---- a/ssg/build_yaml.py
-+++ b/ssg/build_yaml.py
-@@ -700,6 +700,11 @@ def to_xml_element(self):
- # audit_rules_privileged_commands, othervise the rule
- # does not catch newly installed screeen binary during remediation
- # and report fail
-+ # the software group should come before the
-+ # bootloader-grub2 group because of conflict between
-+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
-+ # specific rules concerning permissions should
-+ # be applied after the general rpm_verify_permissions
- # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
- # the firewalld_activation must come before ruleset_modifications, othervise
- # remediations for ruleset_modifications won't work
-@@ -707,6 +712,7 @@ def to_xml_element(self):
- # otherwise the remediation prints error although it is successful
- priority_order = [
- "accounts", "auditing",
-+ "software", "bootloader-grub2",
- "fips", "crypto",
- "firewalld_activation", "ruleset_modifications",
- "disabling_ipv6", "configuring_ipv6"
diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
deleted file mode 100644
index 34531f1..0000000
--- a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 14 May 2020 01:20:53 +0200
-Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
-
-All paths in /etc/rsyslog.conf were taken as log files, but paths
-in lines containing "include" or "$IncludeConfig" are config files.
-
-Let's not take them in as log files
----
- .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-index a78cd69df2..c74f3da3f5 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-@@ -87,8 +87,18 @@
- -->
- <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ <filter action="exclude">state_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
-+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
-+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
-+ include() or $IncludeConfig statements.
-+ These paths are conf files, not log files. Their permissions don't need to be as
-+ required for log files, thus, lets exclude them from the list of objects found
-+ -->
-+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
-+ </ind:textfilecontent54_state>
-+
- <!-- Define OVAL variable to hold all the various system log files locations
- retrieved from the different rsyslog configuration files
- -->
-
-From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 14 May 2020 00:16:37 +0200
-Subject: [PATCH 2/4] Fix permissions of files referenced by include()
-
-The remediation script also needs to parse the files included via
-"include()".
-The awk also takes into consideration the multiline aspect.
----
- .../rsyslog_files_permissions/bash/shared.sh | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-index 6cbf0c6a24..dca35301e7 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
- # * And also the log file paths listed after rsyslog's $IncludeConfig directive
- # (store the result into array for the case there's shell glob used as value of IncludeConfig)
- readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
-+
- # Declare an array to hold the final list of different log file paths
- declare -a LOG_FILE_PATHS
-
- # Browse each file selected above as containing paths of log files
- # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
--for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
-+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
- do
- # From each of these files extract just particular log file path(s), thus:
- # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
-
-From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 15:53:58 +0200
-Subject: [PATCH 3/4] Make regex for include file more strict
-
-For some reason gensub in awk doesn't support non capturing group.
-So the group with OR is capturing and we substitute everyting with the
-second group, witch matches the file path.
----
- .../rsyslog_files_permissions/bash/shared.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-index dca35301e7..99d2d0e794 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
-@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
- # * And also the log file paths listed after rsyslog's $IncludeConfig directive
- # (store the result into array for the case there's shell glob used as value of IncludeConfig)
- readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
--readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
-+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
-
- # Declare an array to hold the final list of different log file paths
- declare -a LOG_FILE_PATHS
-
-From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 15 May 2020 16:55:02 +0200
-Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
-
-These three files basically work the same way
----
- .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
- .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
- .../rsyslog_files_permissions/oval/shared.xml | 4 ++--
- 3 files changed, 22 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-index 5828f25321..9941e2b94f 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-@@ -86,8 +86,18 @@
- -->
- <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
-+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
-+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
-+ include() or $IncludeConfig statements.
-+ These paths are conf files, not log files. Their groupownership don't need to be as
-+ required for log files, thus, lets exclude them from the list of objects found
-+ -->
-+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
-+ </ind:textfilecontent54_state>
-+
- <!-- Define OVAL variable to hold all the various system log files locations
- retrieved from the different rsyslog configuration files
- -->
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-index 3c46eab6d6..29dd1a989e 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-@@ -83,8 +83,18 @@
- -->
- <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ <filter action="exclude">state_owner_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
-+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
-+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
-+ include() or $IncludeConfig statements.
-+ These paths are conf files, not log files. Their owner don't need to be as
-+ required for log files, thus, lets exclude them from the list of objects found
-+ -->
-+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
-+ </ind:textfilecontent54_state>
-+
- <!-- Define OVAL variable to hold all the various system log files locations
- retrieved from the different rsyslog configuration files
- -->
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-index c74f3da3f5..da37a15b8c 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-@@ -87,10 +87,10 @@
- -->
- <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-- <filter action="exclude">state_ignore_include_paths</filter>
-+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
-- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
-+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
- <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
- include() or $IncludeConfig statements.
- These paths are conf files, not log files. Their permissions don't need to be as
diff --git a/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch b/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
deleted file mode 100644
index 3da1764..0000000
--- a/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 602e57d4c643be443110bbc772e6e5546b1a3cd3 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 26 Jun 2020 16:56:52 +0200
-Subject: [PATCH] Update RHEL7 documentation link for
- grub2_uefi_admin_username.
-
----
- .../system/bootloader-grub2/grub2_uefi_admin_username/rule.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
-index 1926837db7..0c69e59553 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
-@@ -28,7 +28,7 @@ rationale: |-
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
-- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
-+ <li>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-working_with_the_grub_2_boot_loader#sec-Protecting_GRUB_2_with_a_Password") }}}</li>.
- </ul>
- {{% endif %}}
-
diff --git a/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch b/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
deleted file mode 100644
index 9ad2d13..0000000
--- a/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
+++ /dev/null
@@ -1,375 +0,0 @@
-From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Wed, 3 Jun 2020 10:54:51 +0200
-Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
-
----
- .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
- .../tests/no_sys_uids.pass.sh | 7 +++++++
- .../tests/only_system_users.pass.sh | 6 ++++++
- .../tests/system_user_with_shell.fail.sh | 6 ++++++
- 4 files changed, 23 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
-new file mode 100644
-index 0000000000..6d48ad78fd
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
-@@ -0,0 +1,4 @@
-+# remediation = none
-+
-+#!/bin/bash
-+true
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
-new file mode 100644
-index 0000000000..bc4f9cee8c
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
-@@ -0,0 +1,7 @@
-+# remediation = none
-+
-+#!/bin/bash
-+
-+# Force unset of SYS_UID values
-+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
-+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
-new file mode 100644
-index 0000000000..0cdb820bbb
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
-@@ -0,0 +1,6 @@
-+# remediation = none
-+
-+#!/bin/bash
-+
-+# remove any non-system user
-+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-new file mode 100644
-index 0000000000..7639a8809d
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-@@ -0,0 +1,6 @@
-+# remediation = none
-+
-+#!/bin/bash
-+
-+# change system user "mail" shell to bash
-+usermod --shell /bin/bash mail
-
-From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Wed, 3 Jun 2020 11:27:48 +0200
-Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
- range of UIDs
-
-There is no need to make calculations on top of the UIDs, we can compare
-the collected UIDs with shell againt the states that define the valid range.
-
-Avoiding the calculations has the added benefit of not using/referencing
-a variable that can be empty (when no user has shell, except root).
----
- .../oval/shared.xml | 198 +++---------------
- 1 file changed, 33 insertions(+), 165 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-index 7e68441867..d0e836515b 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-@@ -79,13 +79,6 @@
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
-- <!-- Extract UIDs from /etc/passwd entries into OVAL variable -->
-- <local_variable id="variable_sys_uids_etc_passwd" datatype="int"
-- comment="UIDs retrieved from /etc/passwd" version="1">
-- <object_component item_field="subexpression"
-- object_ref="object_etc_passwd_entries" />
-- </local_variable>
--
- <!-- FIRST CRITERION -->
- <!-- If both SYS_UID_MIN and SYS_UID_MAX aren't defined in /etc/login.defs
- perform the check that all /etc/passwd entries having shell defined have
-@@ -100,63 +93,23 @@
- </regex_capture>
- </local_variable>
-
-- <!-- OVAL entities below are workaround for the OpenSCAP bug:
-- https://github.com/OpenSCAP/openscap/issues/428
--
-- Within the test below we will check if all /etc/passwd entries
-- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
-- If at least one UID is within the range, test will fail.
--
-- Observation: Number "x" is outside of <a, b> range if the following
-- inequality is met (x - a) * (x - b) > 0
-- -->
--
-- <!-- OVAL variable to hold (x - 0) * (x - (UID_MIN -1)) range -->
-- <local_variable id="variable_default_range_quad_expr" datatype="int"
-- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
-- version="1">
-- <!-- Construct the final multiplication -->
-- <arithmetic arithmetic_operation="multiply">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <!-- (x - 0) = x => use just "x" value -->
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Get (x - (UID_MIN -1)) result -->
-- <arithmetic arithmetic_operation="add">
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Get -1 * (UID_MIN - 1) result -->
-- <arithmetic arithmetic_operation="multiply">
-- <literal_component datatype="int">-1</literal_component>
-- <!-- Get (UID_MIN -1) result -->
-- <arithmetic arithmetic_operation="add">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <variable_component var_ref="variable_uid_min_value" />
-- <literal_component datatype="int">-1</literal_component>
-- </arithmetic>
-- </arithmetic>
-- </arithmetic>
-- </arithmetic>
-- </local_variable>
--
-- <!-- Foreach previously collected UID store the expression into
-- corresponding OVAL object -->
-- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
-- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
-- </ind:variable_object>
--
-- <!-- Finally verify that (x - a) * (x - b) > 0 -->
-- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
-- <ind:value datatype="int" operation="greater than">0</ind:value>
-- </ind:variable_state>
--
- <!-- Perform the default <0, UID_MIN - 1> UID range test itself -->
- <!-- Thus check that all /etc/passwd entries having shell defined
- have UID outside of <0, UID_MIN -1> range -->
-- <ind:variable_test id="test_shell_defined_default_uid_range" check="all"
-+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_default_uid_range" check="all"
- check_existence="all_exist" comment="<0, UID_MIN - 1> system UIDs having shell set"
- version="1">
-- <ind:object object_ref="object_shell_defined_default_uid_range" />
-- <ind:state state_ref="state_shell_defined_default_uid_range" />
-- </ind:variable_test>
-+ <ind:object object_ref="object_etc_passwd_entries" />
-+ <ind:state state_ref="state_uid_less_than_zero" />
-+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
-+ </ind:textfilecontent54_test>
-+
-+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
-+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
-+ </ind:textfilecontent54_state>
-+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
-+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
-+ </ind:textfilecontent54_state>
-
- <!-- Test if SYS_UID_MIN not defined in /etc/login.defs -->
- <ind:textfilecontent54_test id="test_sys_uid_min_not_defined"
-@@ -200,121 +153,36 @@
- </regex_capture>
- </local_variable>
-
-- <!-- OVAL entities below are workaround for the OpenSCAP bug:
-- https://github.com/OpenSCAP/openscap/issues/428
--
-- Within the test below we will check if all /etc/passwd entries
-- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
-- If at least one UID is within the range, test will fail.
--
-- Observation: Number "x" is outside of <a, b> range if the following
-- inequality is met (x - a) * (x - b) > 0
-- -->
--
-- <!-- OVAL variable to hold UIDs for reserved system accounts, thus
-- UIDs from the range <0, SYS_UID_MIN> -->
-- <local_variable id="variable_reserved_range_quad_expr" datatype="int"
-- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
-- version="1">
-- <!-- Construct the final multiplication -->
-- <arithmetic arithmetic_operation="multiply">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <!-- (x - 0) = x => use just "x" value -->
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Construct (x - SYS_UID_MIN) expression -->
-- <arithmetic arithmetic_operation="add">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Get negative value of SYS_UID_MIN -->
-- <arithmetic arithmetic_operation="multiply">
-- <literal_component datatype="int">-1</literal_component>
-- <variable_component var_ref="variable_sys_uid_min_value" />
-- </arithmetic>
-- </arithmetic>
-- </arithmetic>
-- </local_variable>
--
-- <!-- Foreach previously collected UID store the expression into
-- corresponding OVAL object -->
-- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
-- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
-- </ind:variable_object>
--
-- <!-- Finally verify that (x - a) * (x - b) > 0 -->
-- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
-- <ind:value datatype="int" operation="greater than">0</ind:value>
-- </ind:variable_state>
--
- <!-- Perform the reserved UID range <0, SYS_UID_MIN> test itself -->
- <!-- Thus check that all /etc/passwd entries having shell defined
- have UID outside of <0, SYS_UID_MIN> range -->
-- <ind:variable_test id="test_shell_defined_reserved_uid_range" check="all"
-- check_existence="all_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
-- version="1">
-- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
-- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
-- </ind:variable_test>
--
-- <!-- OVAL entities below are workaround for the OpenSCAP bug:
-- https://github.com/OpenSCAP/openscap/issues/428
--
-- Within the test below we will check if all /etc/passwd entries
-- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
-- If at least one UID is within the range, test will fail.
--
-- Observation: Number "x" is outside of <a, b> range if the following
-- inequality is met (x - a) * (x - b) > 0
-- -->
--
-- <!-- OVAL variable to hold UIDs for dynamically allocated system accounts,
-- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
-- <local_variable id="variable_dynalloc_range_quad_expr" datatype="int"
-- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
-+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_reserved_uid_range" check="all"
-+ check_existence="any_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
- version="1">
-- <!-- Construct the final multiplication -->
-- <arithmetic arithmetic_operation="multiply">
-- <!-- Construct (x - SYS_UID_MIN) expression -->
-- <arithmetic arithmetic_operation="add">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Get negative value of SYS_UID_MIN -->
-- <arithmetic arithmetic_operation="multiply">
-- <literal_component datatype="int">-1</literal_component>
-- <variable_component var_ref="variable_sys_uid_min_value" />
-- </arithmetic>
-- </arithmetic>
-- <!-- Construct (x - SYS_UID_MAX) expression -->
-- <arithmetic arithmetic_operation="add">
-- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
-- <variable_component var_ref="variable_sys_uids_etc_passwd" />
-- <!-- Get negative value of SYS_UID_MAX -->
-- <arithmetic arithmetic_operation="multiply">
-- <literal_component datatype="int">-1</literal_component>
-- <variable_component var_ref="variable_sys_uid_max_value" />
-- </arithmetic>
-- </arithmetic>
-- </arithmetic>
-- </local_variable>
--
-- <!-- Foreach previously collected UID store the expression into
-- corresponding OVAL object -->
-- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
-- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
-- </ind:variable_object>
-+ <ind:object object_ref="object_etc_passwd_entries" />
-+ <ind:state state_ref="state_uid_less_than_zero" />
-+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
-+ </ind:textfilecontent54_test>
-
-- <!-- Finally verify that (x - a) * (x - b) > 0 -->
-- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
-- <ind:value datatype="int" operation="greater than">0</ind:value>
-- </ind:variable_state>
-+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
-+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
-+ </ind:textfilecontent54_state>
-
- <!-- Perform the dynamically allocated UID range <SYS_UID_MIN, SYS_UID_MAX> test itself -->
- <!-- Thus check that all /etc/passwd entries having shell defined
- have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
-- <ind:variable_test id="test_shell_defined_dynalloc_uid_range" check="all"
-- check_existence="all_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
-+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_dynalloc_uid_range" check="all"
-+ check_existence="any_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
- version="1">
-- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
-- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
-- </ind:variable_test>
-+ <ind:object object_ref="object_etc_passwd_entries" />
-+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
-+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
-+ </ind:textfilecontent54_test>
-
-+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
-+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
-+ </ind:textfilecontent54_state>
-+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
-+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
-+ </ind:textfilecontent54_state>
- </def-group>
-
-From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 4 Jun 2020 14:04:37 +0200
-Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
-
----
- .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
- .../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
- .../tests/only_system_users.pass.sh | 3 +--
- .../tests/system_user_with_shell.fail.sh | 3 +--
- 4 files changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
-index 6d48ad78fd..833831f79d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
-@@ -1,4 +1,4 @@
-+#!/bin/bash
- # remediation = none
-
--#!/bin/bash
- true
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
-index bc4f9cee8c..6769895eb2 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
-@@ -1,6 +1,5 @@
--# remediation = none
--
- #!/bin/bash
-+# remediation = none
-
- # Force unset of SYS_UID values
- sed -i '/^SYS_UID_MIN/d' /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
-index 0cdb820bbb..06edf671ce 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
-@@ -1,6 +1,5 @@
--# remediation = none
--
- #!/bin/bash
-+# remediation = none
-
- # remove any non-system user
- sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-index 7639a8809d..10312593b8 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
-@@ -1,6 +1,5 @@
--# remediation = none
--
- #!/bin/bash
-+# remediation = none
-
- # change system user "mail" shell to bash
- usermod --shell /bin/bash mail
diff --git a/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch b/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
deleted file mode 100644
index 218e89b..0000000
--- a/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 25 Jun 2020 09:53:38 +0200
-Subject: [PATCH 1/3] fixed description, oval, ansible, bash
-
----
- .../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
- .../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
- .../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
- .../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
- 4 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-index e6318f221c..98fe134aca 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-@@ -15,7 +15,7 @@
- lineinfile:
- create: yes
- insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
-- line: ".include /etc/crypto-policies/back-ends/openssl.config"
-+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
- path: /etc/pki/tls/openssl.cnf
- when:
- - test_crypto_policy_group.stdout is defined
-@@ -24,7 +24,7 @@
- - name: "Add crypto_policy group and set include openssl.config"
- lineinfile:
- create: yes
-- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
-+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
- path: /etc/pki/tls/openssl.cnf
- when:
- - test_crypto_policy_group.stdout is defined
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-index 0b3cbf3b46..a0b30cce96 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
-@@ -2,8 +2,8 @@
-
- OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
- OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
--OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
--OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
-+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
-
- function remediate_openssl_crypto_policy() {
- CONFIG_FILE="/etc/pki/tls/openssl.cnf"
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-index a9b3f7b6e9..2019769736 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-@@ -20,7 +20,7 @@
- <ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
- version="1">
- <ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
-- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
-+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
- </def-group>
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-index 8c015bb3b2..1a66570a8c 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
-@@ -11,7 +11,7 @@ description: |-
- To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
- available under <tt>/etc/pki/tls/openssl.cnf</tt>.
- This file has the <tt>ini</tt> format, and it enables crypto policy support
-- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
-+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
-
- rationale: |-
- Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
-@@ -29,11 +29,11 @@ references:
-
- ocil_clause: |-
- the OpenSSL config file doesn't contain the whole section,
-- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
-+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
-
- ocil: |-
-- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
-+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
- <pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
-- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
-- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
-+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
-+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
-
-
-From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 25 Jun 2020 09:54:09 +0200
-Subject: [PATCH 2/3] updated tests
-
----
- .../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
- .../tests/wrong.fail.sh | 10 ++++++++++
- 2 files changed, 11 insertions(+), 1 deletion(-)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-index 5b8334735e..c56916883e 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
-@@ -6,5 +6,5 @@
-
- create_config_file_with "[ crypto_policy ]
-
--.include /etc/crypto-policies/back-ends/openssl.config
-+.include /etc/crypto-policies/back-ends/opensslcnf.config
- "
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-new file mode 100644
-index 0000000000..5b8334735e
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
-+
-+. common.sh
-+
-+create_config_file_with "[ crypto_policy ]
-+
-+.include /etc/crypto-policies/back-ends/openssl.config
-+"
-
-From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 25 Jun 2020 17:32:00 +0200
-Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
- file.
-
----
- .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-index 98fe134aca..986543c10f 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
-@@ -11,7 +11,7 @@
- changed_when: False
- check_mode: no
-
--- name: "Add .include for openssl.config to crypto_policy section"
-+- name: "Add .include for opensslcnf.config to crypto_policy section"
- lineinfile:
- create: yes
- insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
-@@ -21,7 +21,7 @@
- - test_crypto_policy_group.stdout is defined
- - test_crypto_policy_group.stdout | length > 0
-
--- name: "Add crypto_policy group and set include openssl.config"
-+- name: "Add crypto_policy group and set include opensslcnf.config"
- lineinfile:
- create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
deleted file mode 100644
index 77a9e01..0000000
--- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
+++ /dev/null
@@ -1,383 +0,0 @@
-From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 19 May 2020 15:49:34 +0200
-Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
-
-Introduce the rekey_limit_size and rekey_limit_time XCCDF values
-to make the rule more flexible.
----
- .../sshd_rekey_limit/bash/shared.sh | 9 ++++
- .../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
- .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
- .../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
- .../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
- .../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
- .../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
- .../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
- .../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
- rhel8/profiles/ospp.profile | 2 +
- 10 files changed, 99 insertions(+), 10 deletions(-)
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
- create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
- create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
-new file mode 100644
-index 0000000000..2620c2d49e
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
-@@ -0,0 +1,9 @@
-+# platform = multi_platform_all
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+populate var_rekey_limit_size
-+populate var_rekey_limit_time
-+
-+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-new file mode 100644
-index 0000000000..57aa090948
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-@@ -0,0 +1,43 @@
-+{{% set filepath = "/etc/ssh/sshd_config" %}}
-+{{% set parameter = "RekeyLimit" %}}
-+
-+
-+<def-group>
-+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
-+ <metadata>
-+ <title>{{{ rule_title }}}</title>
-+ {{{- oval_affected(products) }}}
-+ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
-+ </metadata>
-+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
-+ {{{- application_not_required_or_requirement_unset() }}}
-+ {{{- application_required_or_requirement_unset() }}}
-+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
-+ </criteria>
-+ </criteria>
-+ </definition>
-+
-+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
-+ <ind:object object_ref="obj_sshd_rekey_limit"/>
-+ </ind:textfilecontent54_test>
-+
-+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
-+ <ind:filepath>{{{ filepath }}}</ind:filepath>
-+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
-+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
-+ <concat>
-+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
-+ <variable_component var_ref="var_rekey_limit_size"/>
-+ <literal_component>[\s]+</literal_component>
-+ <variable_component var_ref="var_rekey_limit_time"/>
-+ <literal_component>[\s]*$</literal_component>
-+ </concat>
-+ </local_variable>
-+
-+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
-+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
-+</def-group>
-+
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-index e11678faa0..4936a381f5 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-@@ -7,7 +7,7 @@ description: |-
- the session key of the is renegotiated, both in terms of
- amount of data that may be transmitted and the time
- elapsed. To decrease the default limits, put line
-- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
-+ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
-
- rationale: |-
- By decreasing the limit based on the amount of data and enabling
-@@ -30,12 +30,4 @@ ocil: |-
- following command:
- <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
- If configured properly, output should be
-- <pre>RekeyLimit 512M 1h</pre>
--
--template:
-- name: sshd_lineinfile
-- vars:
-- missing_parameter_pass: 'false'
-- parameter: RekeyLimit
-- rule_id: sshd_rekey_limit
-- value: 512M 1h
-+ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
-new file mode 100644
-index 0000000000..2ac0bbf350
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
-new file mode 100644
-index 0000000000..fec859fe05
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
-new file mode 100644
-index 0000000000..a6cd10163f
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
-@@ -0,0 +1,3 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
-new file mode 100644
-index 0000000000..a6a2ba7adf
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
-diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
-new file mode 100644
-index 0000000000..16dc376508
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'SSH RekeyLimit - size'
-+
-+description: 'Specify the size component of the rekey limit.'
-+
-+type: string
-+
-+operator: equals
-+
-+options:
-+ sshd_default: "default"
-+ default: "512M"
-+ "512M": "512M"
-diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
-new file mode 100644
-index 0000000000..8801fbbf6f
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'SSH RekeyLimit - size'
-+
-+description: 'Specify the size component of the rekey limit.'
-+
-+type: string
-+
-+operator: equals
-+
-+options:
-+ sshd_default: "none"
-+ default: "1h"
-+ "1hour": "1h"
-diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
-index c672066050..a5223a187f 100644
---- a/rhel8/profiles/ospp.profile
-+++ b/rhel8/profiles/ospp.profile
-@@ -58,6 +58,8 @@ selections:
- - sshd_set_keepalive
- - sshd_enable_warning_banner
- - sshd_rekey_limit
-+ - var_rekey_limit_size=512M
-+ - var_rekey_limit_time=1hour
- - sshd_use_strong_rng
- - openssl_use_strong_entropy
-
-
-From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 19 May 2020 17:57:12 +0200
-Subject: [PATCH 2/5] Updated stable profile definitions.
-
----
- tests/data/profile_stability/rhel8/ospp.profile | 2 ++
- tests/data/profile_stability/rhel8/stig.profile | 3 ++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index 23039c82b4..bdda39a903 100644
---- a/tests/data/profile_stability/rhel8/ospp.profile
-+++ b/tests/data/profile_stability/rhel8/ospp.profile
-@@ -214,6 +214,8 @@ selections:
- - timer_dnf-automatic_enabled
- - usbguard_allow_hid_and_hub
- - var_sshd_set_keepalive=0
-+- var_rekey_limit_size=512M
-+- var_rekey_limit_time=1hour
- - var_accounts_user_umask=027
- - var_password_pam_difok=4
- - var_password_pam_maxrepeat=3
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index cd31b73700..ebef541921 100644
---- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
-
- - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
- documentation_complete: true
--extends: ospp
- selections:
- - account_disable_post_pw_expiration
- - account_temp_expire_date
-@@ -243,6 +242,8 @@ selections:
- - timer_dnf-automatic_enabled
- - usbguard_allow_hid_and_hub
- - var_sshd_set_keepalive=0
-+- var_rekey_limit_size=512M
-+- var_rekey_limit_time=1hour
- - var_accounts_user_umask=027
- - var_password_pam_difok=4
- - var_password_pam_maxrepeat=3
-
-From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 22 May 2020 11:43:36 +0200
-Subject: [PATCH 3/5] Improved how variables are handled in remediations.
-
----
- shared/macros-ansible.jinja | 14 ++++++++++++++
- shared/macros-bash.jinja | 15 +++++++++++++++
- 2 files changed, 29 insertions(+)
-
-diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
-index 56a3f5f3ec..6798a25d1f 100644
---- a/shared/macros-ansible.jinja
-+++ b/shared/macros-ansible.jinja
-@@ -1,3 +1,17 @@
-+{{#
-+Pass strings that correspond to XCCDF value names as arguments to this macro:
-+ansible_instantiate_variables("varname1", "varname2")
-+
-+Then, assume that the task that follows can work with the variable by referencing it, e.g.
-+value: "Setting={{ varname1 }}"
-+
-+#}}
-+{{%- macro ansible_instantiate_variables() -%}}
-+{{%- for name in varargs -%}}
-+- (xccdf-var {{{ name }}})
-+{{% endfor -%}}
-+{{%- endmacro -%}}
-+
- {{#
- A wrapper over the Ansible lineinfile module. This handles the most common
- options for us. regex is optional and when blank, it won't be included in
-diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
-index 01b9e62e7b..3a94fe5dd8 100644
---- a/shared/macros-bash.jinja
-+++ b/shared/macros-bash.jinja
-@@ -1,5 +1,20 @@
- {{# ##### High level macros ##### #}}
-
-+{{#
-+Pass strings that correspond to XCCDF value names as arguments to this macro:
-+bash_instantiate_variables("varname1", "varname2")
-+
-+Then, assume that variables of that names are defined and contain the correct value, e.g.
-+echo "Setting=$varname1" >> config_file
-+
-+#}}
-+{{%- macro bash_instantiate_variables() -%}}
-+{{%- for name in varargs -%}}
-+populate {{{ name }}}
-+{{# this line is intentionally left blank #}}
-+{{% endfor -%}}
-+{{%- endmacro -%}}
-+
- {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
- {{% if no_quotes -%}}
- {{% if "$" in value %}}
-
-From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 22 May 2020 11:44:08 +0200
-Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
-
----
- .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
- .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
- 2 files changed, 9 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
-new file mode 100644
-index 0000000000..43a2d4521f
---- /dev/null
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
-@@ -0,0 +1,8 @@
-+# platform = multi_platform_all [0/453]
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
-+
-+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
-index 2620c2d49e..0277f31392 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
-@@ -3,7 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
-
--populate var_rekey_limit_size
--populate var_rekey_limit_time
-+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
-
- {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
-
-From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 22 May 2020 11:49:04 +0200
-Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
-
----
- .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-index 57aa090948..47796e5332 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-@@ -1,5 +1,4 @@
--{{% set filepath = "/etc/ssh/sshd_config" %}}
--{{% set parameter = "RekeyLimit" %}}
-+{{% set filepath = "/etc/ssh/sshd_config" -%}}
-
-
- <def-group>
-@@ -7,7 +6,7 @@
- <metadata>
- <title>{{{ rule_title }}}</title>
- {{{- oval_affected(products) }}}
-- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
-+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
- </metadata>
- <criteria comment="sshd is configured correctly or is not installed" operator="OR">
- {{{- application_not_required_or_requirement_unset() }}}
diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
deleted file mode 100644
index 2b758fb..0000000
--- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 25 May 2020 10:51:24 +0200
-Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp
-
----
- .../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 +
- rhel8/profiles/ospp.profile | 2 +-
- rhel8/profiles/stig.profile | 3 +++
- 3 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
-index 16dc376508..395a087a68 100644
---- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
-+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
-@@ -12,3 +12,4 @@ options:
- sshd_default: "default"
- default: "512M"
- "512M": "512M"
-+ "1G": "1G"
-diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
-index a5223a187f..0dca8350f9 100644
---- a/rhel8/profiles/ospp.profile
-+++ b/rhel8/profiles/ospp.profile
-@@ -58,7 +58,7 @@ selections:
- - sshd_set_keepalive
- - sshd_enable_warning_banner
- - sshd_rekey_limit
-- - var_rekey_limit_size=512M
-+ - var_rekey_limit_size=1G
- - var_rekey_limit_time=1hour
- - sshd_use_strong_rng
- - openssl_use_strong_entropy
-diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
-index 2bb81cf9dc..a156857647 100644
---- a/rhel8/profiles/stig.profile
-+++ b/rhel8/profiles/stig.profile
-@@ -44,3 +44,6 @@ selections:
- - package_rsyslog-gnutls_installed
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
-+ - sshd_rekey_limit
-+ - var_rekey_limit_size=512M
-+ - var_rekey_limit_time=1hour
-
-From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 25 May 2020 10:51:54 +0200
-Subject: [PATCH 2/3] update stable ospp profile
-
----
- tests/data/profile_stability/rhel8/ospp.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index bdda39a903..25f7922bf3 100644
---- a/tests/data/profile_stability/rhel8/ospp.profile
-+++ b/tests/data/profile_stability/rhel8/ospp.profile
-@@ -214,7 +214,7 @@ selections:
- - timer_dnf-automatic_enabled
- - usbguard_allow_hid_and_hub
- - var_sshd_set_keepalive=0
--- var_rekey_limit_size=512M
-+- var_rekey_limit_size=1G
- - var_rekey_limit_time=1hour
- - var_accounts_user_umask=027
- - var_password_pam_difok=4
-
-From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 28 May 2020 09:30:58 +0200
-Subject: [PATCH 3/3] propagate change also into stig profile
-
----
- rhel8/profiles/stig.profile | 3 ---
- tests/data/profile_stability/rhel8/stig.profile | 2 +-
- 2 files changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
-index a156857647..2bb81cf9dc 100644
---- a/rhel8/profiles/stig.profile
-+++ b/rhel8/profiles/stig.profile
-@@ -44,6 +44,3 @@ selections:
- - package_rsyslog-gnutls_installed
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
-- - sshd_rekey_limit
-- - var_rekey_limit_size=512M
-- - var_rekey_limit_time=1hour
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index ebef541921..6c4270925f 100644
---- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -242,7 +242,7 @@ selections:
- - timer_dnf-automatic_enabled
- - usbguard_allow_hid_and_hub
- - var_sshd_set_keepalive=0
--- var_rekey_limit_size=512M
-+- var_rekey_limit_size=1G
- - var_rekey_limit_time=1hour
- - var_accounts_user_umask=027
- - var_password_pam_difok=4
diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
deleted file mode 100644
index 8ebfb97..0000000
--- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
+++ /dev/null
@@ -1,798 +0,0 @@
-From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 27 May 2020 14:34:50 +0200
-Subject: [PATCH 01/11] add rule, variables, check, remediations
-
----
- .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
- .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
- .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
- .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
- .../var_ssh_client_rekey_limit_size.var | 15 +++++++
- .../var_ssh_client_rekey_limit_time.var | 14 +++++++
- shared/references/cce-redhat-avail.txt | 1 -
- 7 files changed, 118 insertions(+), 1 deletion(-)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
- create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
- create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-new file mode 100644
-index 0000000000..6d2bcbbd44
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-@@ -0,0 +1,8 @@
-+# platform = multi_platform_all [0/453]
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = low
-+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
-+
-+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
-new file mode 100644
-index 0000000000..43d0971ffc
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
-@@ -0,0 +1,8 @@
-+# platform = multi_platform_all
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
-+
-+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-new file mode 100644
-index 0000000000..2412763e3f
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-@@ -0,0 +1,39 @@
-+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
-+
-+
-+<def-group>
-+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
-+ <metadata>
-+ <title>{{{ rule_title }}}</title>
-+ {{{- oval_affected(products) }}}
-+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
-+ </metadata>
-+ <criteria comment="RekeyLimit is correctly configured for ssh client">
-+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
-+ </criteria>
-+ </definition>
-+
-+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
-+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
-+ </ind:textfilecontent54_test>
-+
-+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
-+ <ind:filepath>{{{ filepath }}}</ind:filepath>
-+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
-+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
-+ <concat>
-+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
-+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
-+ <literal_component>[\s]+</literal_component>
-+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
-+ <literal_component>[\s]*$</literal_component>
-+ </concat>
-+ </local_variable>
-+
-+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
-+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
-+</def-group>
-+
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-new file mode 100644
-index 0000000000..a1b85b0ee5
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-@@ -0,0 +1,34 @@
-+documentation_complete: true
-+
-+prodtype: rhel8
-+
-+title: 'Configure session renegotiation for SSH client'
-+
-+description: |-
-+ The <tt>RekeyLimit</tt> parameter specifies how often
-+ the session key is renegotiated, both in terms of
-+ amount of data that may be transmitted and the time
-+ elapsed. To decrease the default limits, put line
-+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
-+
-+rationale: |-
-+ By decreasing the limit based on the amount of data and enabling
-+ time-based limit, effects of potential attacks against
-+ encryption keys are limited.
-+
-+severity: medium
-+
-+identifiers:
-+ cce@rhel8: 82880-6
-+
-+references:
-+ ospp: FCS_SSHS_EXT.1
-+
-+ocil_clause: 'it is commented out or is not set'
-+
-+ocil: |-
-+ To check if RekeyLimit is set correctly, run the
-+ following command:
-+ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
-+ If configured properly, output should be
-+ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-new file mode 100644
-index 0000000000..bcf051fd97
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-@@ -0,0 +1,15 @@
-+documentation_complete: true
-+
-+title: 'SSH client RekeyLimit - size'
-+
-+description: 'Specify the size component of the rekey limit.'
-+
-+type: string
-+
-+operator: equals
-+
-+options:
-+ ssh_client_default: "default"
-+ default: "512M"
-+ "512M": "512M"
-+ "1G": "1G"
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-new file mode 100644
-index 0000000000..31c76f9ab5
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'SSH client RekeyLimit - size'
-+
-+description: 'Specify the size component of the rekey limit.'
-+
-+type: string
-+
-+operator: equals
-+
-+options:
-+ ssh_client_default: "none"
-+ default: "1h"
-+ "1hour": "1h"
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 45d03a2c1d..e060d2fb1c 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -1,4 +1,3 @@
--CCE-82880-6
- CCE-82882-2
- CCE-82883-0
- CCE-82888-9
-
-From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 27 May 2020 14:35:24 +0200
-Subject: [PATCH 02/11] add tests
-
----
- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
- .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
- .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
- .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
- 4 files changed, 15 insertions(+)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-new file mode 100644
-index 0000000000..2ac0bbf350
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-new file mode 100644
-index 0000000000..fec859fe05
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-new file mode 100644
-index 0000000000..a6cd10163f
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-@@ -0,0 +1,3 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-new file mode 100644
-index 0000000000..a6a2ba7adf
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-@@ -0,0 +1,4 @@
-+# platform = multi_platform_all
-+
-+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
-
-From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 27 May 2020 14:35:43 +0200
-Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
-
----
- rhel8/profiles/ospp.profile | 5 +++++
- tests/data/profile_stability/rhel8/ospp.profile | 3 +++
- tests/data/profile_stability/rhel8/stig.profile | 3 +++
- 3 files changed, 11 insertions(+)
-
-diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
-index 0dca8350f9..07d32b814d 100644
---- a/rhel8/profiles/ospp.profile
-+++ b/rhel8/profiles/ospp.profile
-@@ -410,3 +410,8 @@ selections:
-
- # Prevent Kerberos use by system daemons
- - kerberos_disable_no_keytab
-+
-+ # set ssh client rekey limit
-+ - ssh_client_rekey_limit
-+ - var_ssh_client_rekey_limit_size=1G
-+ - var_ssh_client_rekey_limit_time=1hour
-diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index 25f7922bf3..b0d7672c36 100644
---- a/tests/data/profile_stability/rhel8/ospp.profile
-+++ b/tests/data/profile_stability/rhel8/ospp.profile
-@@ -240,4 +240,7 @@ selections:
- - grub2_vsyscall_argument.severity=info
- - sysctl_user_max_user_namespaces.role=unscored
- - sysctl_user_max_user_namespaces.severity=info
-+- ssh_client_rekey_limit
-+- var_ssh_client_rekey_limit_size=1G
-+- var_ssh_client_rekey_limit_time=1hour
- title: Protection Profile for General Purpose Operating Systems
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 6c4270925f..330ecc7e1e 100644
---- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -269,4 +269,7 @@ selections:
- - grub2_vsyscall_argument.severity=info
- - sysctl_user_max_user_namespaces.role=unscored
- - sysctl_user_max_user_namespaces.severity=info
-+- ssh_client_rekey_limit
-+- var_ssh_client_rekey_limit_size=1G
-+- var_ssh_client_rekey_limit_time=1hour
- title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
-
-From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 28 May 2020 14:25:41 +0200
-Subject: [PATCH 04/11] improve description of variables
-
----
- .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
- .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
- 2 files changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-index bcf051fd97..4e20104cba 100644
---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-@@ -2,14 +2,20 @@ documentation_complete: true
-
- title: 'SSH client RekeyLimit - size'
-
--description: 'Specify the size component of the rekey limit.'
-+description: |-
-+ Specify the size component of the rekey limit. This limit signifies amount
-+ of data. After this amount of data is transferred through the connection,
-+ the session key is renegotiated. The number is followed by K, M or G for
-+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
-+ configured according to ellabsed time.
-+
-+interactive: true
-
- type: string
-
- operator: equals
-
- options:
-- ssh_client_default: "default"
- default: "512M"
- "512M": "512M"
- "1G": "1G"
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-index 31c76f9ab5..6143a5448c 100644
---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-@@ -1,14 +1,20 @@
- documentation_complete: true
-
--title: 'SSH client RekeyLimit - size'
-+title: 'SSH client RekeyLimit - time'
-
--description: 'Specify the size component of the rekey limit.'
-+description: |-
-+ Specify the time component of the rekey limit. This limit signifies amount
-+ of data. The session key is renegotiated after the defined amount of time
-+ passes. The number is followed by units such as H or M for hours or minutes.
-+ Note that the RekeyLimit can be also configured according to amount of
-+ transfered data.
-+
-+interactive: true
-
- type: string
-
- operator: equals
-
- options:
-- ssh_client_default: "none"
- default: "1h"
- "1hour": "1h"
-
-From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 28 May 2020 14:26:12 +0200
-Subject: [PATCH 05/11] fix tests and ansible
-
----
- .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
- .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
- .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
- .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
- 5 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-index 6d2bcbbd44..bb6544a0a0 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-@@ -1,4 +1,4 @@
--# platform = multi_platform_all [0/453]
-+# platform = multi_platform_all
- # reboot = false
- # strategy = configure
- # complexity = low
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-index 2ac0bbf350..22c465b08f 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-@@ -1,4 +1,4 @@
- # platform = multi_platform_all
-
--sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
--echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
-+
-+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-index fec859fe05..0dc621b1da 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-@@ -1,4 +1,4 @@
- # platform = multi_platform_all
-
--sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
--echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
-+
-+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-index a6cd10163f..f6abf711da 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-@@ -1,3 +1,3 @@
- # platform = multi_platform_all
-
--sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-index a6a2ba7adf..e64e4191bc 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-@@ -1,4 +1,5 @@
- # platform = multi_platform_all
-
--sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
--echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
-+
-+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
-+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-
-From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 1 Jun 2020 14:29:47 +0200
-Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
-
----
- .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
- rhel8/profiles/stig.profile | 1 +
- tests/data/profile_stability/rhel8/stig.profile | 1 -
- 3 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-index e64e4191bc..89d7069687 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-@@ -2,4 +2,4 @@
-
-
- rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
--echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
-index 2bb81cf9dc..8f12852e26 100644
---- a/rhel8/profiles/stig.profile
-+++ b/rhel8/profiles/stig.profile
-@@ -44,3 +44,4 @@ selections:
- - package_rsyslog-gnutls_installed
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
-+ - "!ssh_client_rekey_limit"
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 330ecc7e1e..9b164eb5c2 100644
---- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -269,7 +269,6 @@ selections:
- - grub2_vsyscall_argument.severity=info
- - sysctl_user_max_user_namespaces.role=unscored
- - sysctl_user_max_user_namespaces.severity=info
--- ssh_client_rekey_limit
- - var_ssh_client_rekey_limit_size=1G
- - var_ssh_client_rekey_limit_time=1hour
- title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
-
-From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 3 Jun 2020 12:38:19 +0200
-Subject: [PATCH 07/11] rewrite oval to check for multiple locations
-
----
- .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
- 1 file changed, 26 insertions(+), 16 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-index 2412763e3f..41fa0497ae 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-@@ -1,28 +1,17 @@
--{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
--
-
- <def-group>
- <definition class="compliance" id="{{{ rule_id }}}" version="1">
- <metadata>
- <title>{{{ rule_title }}}</title>
- {{{- oval_affected(products) }}}
-- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
-+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
- </metadata>
-- <criteria comment="RekeyLimit is correctly configured for ssh client">
-- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
-+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
-+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
-+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
- </criteria>
- </definition>
-
-- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
-- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
-- </ind:textfilecontent54_test>
--
-- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
-- <ind:filepath>{{{ filepath }}}</ind:filepath>
-- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
-- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-- </ind:textfilecontent54_object>
--
- <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
- <concat>
- <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
-@@ -35,5 +24,26 @@
-
- <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
- <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
--</def-group>
-
-+
-+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
-+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
-+ </ind:textfilecontent54_test>
-+
-+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
-+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
-+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
-+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
-+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
-+ </ind:textfilecontent54_test>
-+
-+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
-+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
-+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
-+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+</def-group>
-
-From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 4 Jun 2020 08:24:54 +0200
-Subject: [PATCH 08/11] reqrite remediations
-
----
- .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
- .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
- 2 files changed, 29 insertions(+)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-index bb6544a0a0..36de503806 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
-@@ -5,4 +5,20 @@
- # disruption = low
- {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
-
-+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
-+
-+- name: Collect all include config files for ssh client which configure RekeyLimit
-+ find:
-+ paths: "/etc/ssh/ssh_config.d/"
-+ contains: '^[\s]*RekeyLimit.*$'
-+ patterns: "*.config"
-+ register: ssh_config_include_files
-+
-+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
-+ lineinfile:
-+ path: "{{ item }}"
-+ regexp: '^[\s]*RekeyLimit.*$'
-+ state: "absent"
-+ loop: "{{ ssh_config_include_files.files }}"
-+
- {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
-index 43d0971ffc..99f6f63c92 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
-@@ -5,4 +5,17 @@
-
- {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
-
-+main_config="/etc/ssh/ssh_config"
-+include_directory="/etc/ssh/ssh_config.d"
-+
-+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
-+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
-+fi
-+
-+for file in "$include_directory"/*.conf; do
-+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
-+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
-+ fi
-+done
-+
- {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
-
-From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 4 Jun 2020 08:25:14 +0200
-Subject: [PATCH 09/11] add more tests
-
----
- .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
- .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
- .../tests/ok_different_config_file.pass.sh | 3 +++
- 3 files changed, 11 insertions(+)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
-new file mode 100644
-index 0000000000..90314712af
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/basdh
-+
-+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
-new file mode 100644
-index 0000000000..9ba20b0290
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+rm -rf /etc/ssh/ssh_config.d/*
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
-new file mode 100644
-index 0000000000..f725f6936f
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
-
-From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 4 Jun 2020 08:25:29 +0200
-Subject: [PATCH 10/11] extend description and ocil
-
----
- .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-index a1b85b0ee5..76f5f84090 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-@@ -10,6 +10,12 @@ description: |-
- amount of data that may be transmitted and the time
- elapsed. To decrease the default limits, put line
- <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
-+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
-+ the <tt>include</tt> directive in the main config file
-+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
-+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
-+ their names. Make sure that there is no file processed before
-+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
-
- rationale: |-
- By decreasing the limit based on the amount of data and enabling
-@@ -27,8 +33,11 @@ references:
- ocil_clause: 'it is commented out or is not set'
-
- ocil: |-
-- To check if RekeyLimit is set correctly, run the
-- following command:
-- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
-- If configured properly, output should be
-- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
-+ To check if RekeyLimit is set correctly, run the following command: <pre>$
-+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
-+ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
-+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
-+ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
-+ main configuration file with the following command: <pre>sudo grep
-+ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
-+ output.
-
-From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 11:44:44 +0200
-Subject: [PATCH 11/11] fix typos and wording
-
----
- .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
- .../tests/bad_main_config_good_include_config.fail.sh | 2 +-
- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
- .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
- .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
- .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
- .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
- .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
- 8 files changed, 13 insertions(+), 9 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-index 76f5f84090..b054d9d221 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-@@ -14,8 +14,9 @@ description: |-
- the <tt>include</tt> directive in the main config file
- <tt>/etc/ssh/ssh_config</tt>. Check also other files in
- <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
-- their names. Make sure that there is no file processed before
-- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
-+ lexicographical order of file names. Make sure that there is no file
-+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
-+ <tt>RekeyLimit</tt>.
-
- rationale: |-
- By decreasing the limit based on the amount of data and enabling
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
-index 90314712af..58befb0107 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
-@@ -1,4 +1,4 @@
--#!/bin/basdh
-+#!/bin/bash
-
- echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
- echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-index 22c465b08f..1803c26629 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
-@@ -1,3 +1,4 @@
-+#!/bin/bash
- # platform = multi_platform_all
-
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-index 0dc621b1da..2c9e839255 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
-@@ -1,3 +1,4 @@
-+#!/bin/bash
- # platform = multi_platform_all
-
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-index f6abf711da..7de108eafd 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
-@@ -1,3 +1,4 @@
-+#!/bin/bash
- # platform = multi_platform_all
-
- echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-index 89d7069687..4c047ed179 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
-@@ -1,3 +1,4 @@
-+#!/bin/bash
- # platform = multi_platform_all
-
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-index 4e20104cba..c8dd8ef10e 100644
---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
-@@ -7,7 +7,7 @@ description: |-
- of data. After this amount of data is transferred through the connection,
- the session key is renegotiated. The number is followed by K, M or G for
- kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
-- configured according to ellabsed time.
-+ configured according to elapsed time.
-
- interactive: true
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-index 6143a5448c..6223e8e38f 100644
---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
-@@ -3,11 +3,10 @@ documentation_complete: true
- title: 'SSH client RekeyLimit - time'
-
- description: |-
-- Specify the time component of the rekey limit. This limit signifies amount
-- of data. The session key is renegotiated after the defined amount of time
-- passes. The number is followed by units such as H or M for hours or minutes.
-- Note that the RekeyLimit can be also configured according to amount of
-- transfered data.
-+ Specify the time component of the rekey limit. The session key is
-+ renegotiated after the defined amount of time passes. The number is followed
-+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
-+ be also configured according to amount of transfered data.
-
- interactive: true
-
diff --git a/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch b/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
deleted file mode 100644
index d80f19e..0000000
--- a/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001
-From: Gabe <redhatrises@gmail.com>
-Date: Tue, 16 Jun 2020 16:04:10 -0600
-Subject: [PATCH] Remove grub documentation links from RHEL7 rationale
-
----
- .../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 -------
- .../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 -------
- .../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 -------
- 3 files changed, 21 deletions(-)
-
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
-index 2042a17806..63a6a7a83c 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
-@@ -24,13 +24,6 @@ description: |-
-
- rationale: |-
- Having a non-default grub superuser username makes password-guessing attacks less effective.
-- {{% if product == "rhel7" %}}
-- For more information on how to configure the grub2 superuser account and password,
-- please refer to
-- <ul>
-- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
-- </ul>
-- {{% endif %}}
-
- severity: low
-
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
-index 00cec58c77..985b8727d7 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
-@@ -23,13 +23,6 @@ rationale: |-
- users with physical access cannot trivially alter
- important bootloader settings. These include which kernel to use,
- and whether to enter single-user mode.
-- {{% if product == "rhel7" %}}
-- For more information on how to configure the grub2 superuser account and password,
-- please refer to
-- <ul>
-- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
-- </ul>
-- {{% endif %}}
-
- severity: high
-
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-index 954d6f21d0..3ce5a2df13 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-@@ -23,13 +23,6 @@ rationale: |-
- users with physical access cannot trivially alter
- important bootloader settings. These include which kernel to use,
- and whether to enter single-user mode.
-- {{% if product == "rhel7" %}}
-- For more information on how to configure the grub2 superuser account and password,
-- please refer to
-- <ul>
-- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
-- </ul>
-- {{% endif %}}
-
- severity: medium
-
diff --git a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
deleted file mode 100644
index 4b69221..0000000
--- a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
+++ /dev/null
@@ -1,1216 +0,0 @@
-From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001
-From: Shawn Wells <shawn@redhat.com>
-Date: Sun, 29 Mar 2020 00:58:02 -0400
-Subject: [PATCH 01/20] update CIS RHEL8 profile
-
----
- .../service_crond_enabled/rule.yml | 2 +-
- .../r_services/no_rsh_trust_files/rule.yml | 8 +-
- .../rule.yml | 2 +-
- .../account_unique_name/rule.yml | 11 +-
- .../accounts_maximum_age_login_defs/rule.yml | 2 +-
- .../accounts_minimum_age_login_defs/rule.yml | 1 +
- .../rule.yml | 1 +
- .../var_accounts_maximum_age_login_defs.var | 1 +
- .../password_storage/no_netrc_files/rule.yml | 4 +-
- .../accounts_no_uid_except_zero/rule.yml | 2 +-
- .../no_direct_root_logins/rule.yml | 2 +-
- .../rule.yml | 1 +
- .../accounts-session/accounts_tmout/rule.yml | 1 +
- .../rule.yml | 1 +
- .../rule.yml | 1 +
- .../file_permissions_home_dirs/rule.yml | 4 +-
- .../rsyslog_files_permissions/rule.yml | 2 +-
- .../ensure_logrotate_activated/rule.yml | 1 +
- .../package_rsyslog_installed/rule.yml | 2 +-
- .../rsyslog_nolisten/rule.yml | 2 +
- .../rsyslog_remote_loghost/rule.yml | 4 +-
- .../logging/service_rsyslog_enabled/rule.yml | 2 +-
- rhel8/profiles/cis.profile | 141 ++++++++++++------
- shared/references/cce-redhat-avail.txt | 2 -
- 24 files changed, 137 insertions(+), 63 deletions(-)
-
-diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-index a1f82cf5c9..09d1a92a55 100644
---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
-@@ -24,7 +24,7 @@ identifiers:
- references:
- stigid@rhel6: "000224"
- srg@rhel6: SRG-OS-999999
-- cis: 5.1.1
-+ cis@rhel8: 5.1.1
- hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
- nist: CM-6(a)
- nist-csf: PR.IP-1,PR.PT-3
-diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
-index 2ccf4127b7..ec2fa6c012 100644
---- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
-+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
-@@ -12,9 +12,9 @@ description: |-
- <pre>$ rm ~/.rhosts</pre>
-
- rationale: |-
-- Trust files are convenient, but when
-- used in conjunction with the R-services, they can allow
-- unauthenticated access to a system.
-+ This action is only meaningful if <tt>.rhosts</tt> support is permitted
-+ through PAM. Trust files are convenient, but when used in conjunction with
-+ the R-services, they can allow unauthenticated access to a system.
-
- severity: high
-
-@@ -26,7 +26,7 @@ identifiers:
- references:
- stigid@rhel6: "000019"
- srg@rhel6: SRG-OS-000248
-- cis: 6.2.14
-+ cis@rhel8: 6.2.13
- disa: "1436"
- hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
- nist: CM-7(a),CM-7(b),CM-6(a)
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-index fff30d70c7..7a1538392a 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
-@@ -43,7 +43,7 @@ references:
- stigid@rhel6: "000062"
- srg@rhel6: SRG-OS-000120
- disa@rhel6: '803'
-- cis: 6.3.1
-+ cis@rhel8: 5.4.4
- cjis: 5.6.2.2
- cui: 3.13.11
- disa: "196"
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-index 2cdafc0609..35652a410b 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-@@ -2,9 +2,15 @@ documentation_complete: true
-
- title: 'Ensure All Accounts on the System Have Unique Names'
-
--description: 'Change usernames, or delete accounts, so each has a unique name.'
-+description: |-
-+ Although the <tt>useradd</tt> utility prevents creation of duplicate user
-+ names, it is possible for a malicious administrator to manually edit the
-+ <tt>/etc/passwd</tt> file and change the user name.
-
--rationale: 'Unique usernames allow for accountability on the system.'
-+rationale: |-
-+ If a user is assigned a duplicate user name, the new user will be able to
-+ create and have access to files with the first UID for that username as
-+ defined in <tt>/etc/passwd</tt>.
-
- severity: medium
-
-@@ -19,6 +25,7 @@ references:
- cjis: 5.5.2
- disa: 770,804
- pcidss: Req-8.1.1
-+ cis@rhel8: 6.2.17
-
- ocil_clause: 'a line is returned'
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-index af1ea13d8f..c2c4aa11bc 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-@@ -34,7 +34,7 @@ references:
- stigid@rhel6: "000053"
- srg@rhel6: SRG-OS-000076
- disa@rhel6: '180'
-- cis: 5.4.1.1
-+ cis@rhel8: 5.5.1.1
- cjis: 5.6.2.1
- cui: 3.5.6
- disa: "199"
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-index 2de12efb3e..6147d672a4 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-@@ -44,6 +44,7 @@ references:
- cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
- iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
- cis-csc: 1,12,15,16,5
-+ cis@rhel8: 5.5.1.2
-
- ocil_clause: 'it is not equal to or greater than the required value'
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-index 3a5c00708d..2a1005bd20 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-@@ -33,6 +33,7 @@ references:
- cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
- iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
- cis-csc: 1,12,13,14,15,16,18,3,5,7,8
-+ cis@rhel8: 5.5.1.3
-
- ocil_clause: 'it is not set to the required value'
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
-index 731f8f475f..11eb238c5d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
-@@ -9,6 +9,7 @@ type: number
- interactive: false
-
- options:
-+ 365: 365
- 120: 120
- 180: 180
- 60: 60
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-index 01454a7274..8547893201 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
-@@ -11,8 +11,7 @@ description: |-
-
- rationale: |-
- Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt>
-- files. DoD policy requires passwords be encrypted in storage and not used
-- in access scripts.
-+ files.
-
- severity: medium
-
-@@ -24,6 +23,7 @@ identifiers:
- references:
- stigid@rhel6: "000347"
- srg@rhel6: SRG-OS-000073
-+ cis@rhel8: 6.2.11
- disa: "196"
- nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7)
- nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
-index 0b61daf925..14f9140687 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
-@@ -31,7 +31,7 @@ references:
- stigid@ol7: "020310"
- stigid@rhel6: "000032"
- srg@rhel6: SRG-OS-999999
-- cis: 6.2.5
-+ cis@rhel8: 6.2.6
- cui: 3.1.1,3.1.5
- disa: "366"
- nist: IA-2,AC-6(5),IA-4(b)
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
-index 1d08bde4d9..9e00f3aad6 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
-@@ -33,7 +33,7 @@ identifiers:
- cce@ocp4: 82698-2
-
- references:
-- cis: "5.5"
-+ cis@rhel8: "5.6"
- cui: 3.1.1,3.1.6
- hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
- nist: IA-2,CM-6(a)
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
-index ae8ba133b7..0c26ac3240 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
-@@ -35,6 +35,7 @@ references:
- cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
- iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
- cis-csc: 12,13,14,15,16,18,3,5
-+ cis@rhel8: "5.6"
- srg: SRG-OS-000324-GPOS-00125
-
- ocil_clause: 'root login over virtual console devices is permitted'
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-index 787f2264de..f09006b72b 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-@@ -38,6 +38,7 @@ references:
- cobit5: DSS05.04,DSS05.10,DSS06.10
- iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
- cis-csc: 1,12,15,16
-+ cis@rhel8: 5.5.3
- anssi: NT28(R29)
-
- ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-index e7e9a751a4..bedf3a0b19 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
-@@ -27,6 +27,7 @@ references:
- disa: "366"
- srg: SRG-OS-000480-GPOS-00227
- stigid@rhel7: "020620"
-+ cis@rhel8: 6.2.20
-
- ocil_clause: 'users home directory does not exist'
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-index d58884235e..1c5ac8d099 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
-@@ -26,6 +26,7 @@ references:
- disa: "366"
- srg: SRG-OS-000480-GPOS-00227
- stigid@rhel7: "020650"
-+ cis@rhel8: 6.2.8
-
- ocil_clause: 'the group ownership is incorrect'
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
-index 8812f9d123..27c190b5b1 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
-@@ -22,11 +22,12 @@ rationale: |-
- to one another's home directories, this can be provided using
- groups or ACLs.
-
--severity: unknown
-+severity: medium
-
- identifiers:
- cce@rhel6: 26981-1
- cce@rhel7: 80201-7
-+ cce@rhel8: 84274-0
-
- references:
- disa: "225"
-@@ -37,6 +38,7 @@ references:
- cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
- iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
- cis-csc: 12,13,14,15,16,18,3,5
-+ cis@rhel8: 6.2.7
-
- ocil_clause: 'the user home directory is group-writable or world-readable'
-
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
-index 4c1e69020b..aa6e0905ae 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
-@@ -31,7 +31,7 @@ references:
- anssi: NT28(R36)
- stigid@rhel6: "000135"
- srg@rhel6: SRG-OS-000206
-- cis: 4.2.1.3
-+ cis@rhel8: 4.2.1.3
- disa: "1314"
- nist: CM-6(a),AC-6(1)
- pcidss: Req-10.5.1,Req-10.5.2
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-index def9566692..2c41a3b9ef 100644
---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-@@ -35,6 +35,7 @@ references:
- cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
- iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
- cis-csc: 1,14,15,16,3,5,6
-+ cis@rhel8: 4.3
- anssi: NT28(R43),NT12(R18)
-
- ocil_clause: 'logrotate is not configured to run daily'
-diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
-index 9f00dd9704..00fecf8a3c 100644
---- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
-+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
-@@ -18,7 +18,7 @@ identifiers:
- references:
- cis@debian8: 5.1.1
- anssi: NT28(R5),NT28(R46)
-- cis: 4.2.3
-+ cis@rhel8: 4.2.1.1
- disa: 1311,1312
- hipaa: 164.312(a)(2)(ii)
- iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
-diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-index 8a5a15e1da..14e729252c 100644
---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-@@ -26,6 +26,7 @@ severity: medium
- identifiers:
- cce@rhel6: 26803-7
- cce@rhel7: 80192-8
-+ cce@rhel8: 84275-7
-
- references:
- stigid@ol7: "031010"
-@@ -39,3 +40,4 @@ references:
- iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
- cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
- stigid@rhel7: "031010"
-+ cis@rhel8: 4.2.1.6
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-index 7b70b0c186..da28b99561 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-@@ -46,8 +46,8 @@ references:
- anssi: NT28(R7),NT28(R43),NT12(R5)
- stigid@rhel6: "000136"
- srg@rhel6: SRG-OS-000043,SRG-OS-000215
-- cis: 4.2.1.4
-- disa: 136,366,1348,1851
-+ cis@rhel8: 4.2.1.5
-+ disa: 366,1348,136,1851
- hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii)
- iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1
- nist: CM-6(a),AU-4(1),AU-9(2)
-diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
-index ce8347c686..92fd6bc4d8 100644
---- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
-+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
-@@ -20,7 +20,7 @@ identifiers:
- references:
- cis@debian8: 5.1.2
- anssi: NT28(R5),NT28(R46)
-- cis: 4.2.1.1
-+ cis@rhel8: 4.2.1.2
- disa: 1311,1312,1557,1851
- hipaa: 164.312(a)(2)(ii)
- iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index cc0c2a5b9a..528f17d696 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -602,87 +602,88 @@ selections:
-
- ### 4.1.9 Ensure discretionary access control permission modification
- ### events are collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
-
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
- ### collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
-
- ### 4.1.11 Ensure events that modify user/group information are
- ### collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
-
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
-
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
-
- ### 4.1.14 Ensure file deletion events by users are collected
- ### (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
-
- ### 4.1.15 Ensure kernel module loading and unloading is collected
- ### (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
-
- ### 4.1.16 Ensure system administrator actions (sudolog) are
- ### collected (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
- ### 4.1.17 Ensure the audit configuration is immutable (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
-
- ## 4.2 Configure Logging
-
- ### 4.2.1 Configure rsyslog
-
- #### 4.2.1.1 Ensure rsyslog is installed (Scored)
--
-+ - package_rsyslog_installed
-
- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
--
-+ - service_rsyslog_enabled
-
- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
--
-+ - rsyslog_files_permissions
-
- #### 4.2.1.4 Ensure logging is configured (Not Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
-
- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
- #### log host (Scored)
--
-+ - rsyslog_remote_loghost
-
- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
- #### designated log hosts (Not Scored)
--
-+ - rsyslog_nolisten
-
- ### 4.2.2 Configure journald
-
- #### 4.2.2.1 Ensure journald is configured to send logs to
- #### rsyslog (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
-
- #### 4.2.2.2 Ensure journald is configured to compress large
- #### log files (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
-
-
- #### 4.2.2.3 Ensure journald is configured to write logfiles to
- #### persistent disk (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
-
- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
-
- ## 4.3 Ensure logrotate is conifgured (Not Scored)
--
-+ - ensure_logrotate_activated
-
- # 5 Access, Authentication and Authorization
-
- ## 5.1 Configure cron
-
--
- ### 5.1.1 Ensure cron daemon is enabled (Scored)
-+ - service_crond_enabled
-
-
- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
-@@ -790,19 +791,19 @@ selections:
-
- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
- ### or less (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
-
- ### 5.2.15 Ensure SSH warning banner is configured (Scored)
- - sshd_enable_warning_banner
-
- ### 5.2.16 Ensure SSH PAM is enabled (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
-
- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
- - sshd_disable_tcp_forwarding
-
- ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
-
- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
- - sshd_set_max_sessions
-@@ -815,69 +816,75 @@ selections:
-
-
- ### 5.3.1 Create custom authselectet profile (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
-
- ### 5.3.2 Select authselect profile (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
-
- ### 5.3.3 Ensure authselect includes with-faillock (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
-
- ## 5.4 Configure PAM
-
- ### 5.4.1 Ensure password creation requirements are configured (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
-
- ### 5.4.2 Ensure lockout for failed password attempts is
- ### configured (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
-
- ### 5.4.3 Ensure password reuse is limited (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
-
- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
--
-+ - set_password_hashing_algorithm_systemauth
-
- ## 5.5 User Accounts and Environment
-
- ### 5.5.1 Set Shadow Password Suite Parameters
-
- #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
--
-+ - var_accounts_maximum_age_login_defs=365
-+ - accounts_maximum_age_login_defs
-
- #### 5.5.1.2 Ensure minimum days between password changes is 7
- #### or more (Scored)
--
-+ - var_accounts_minimum_age_login_defs=7
-+ - accounts_minimum_age_login_defs
-
- #### 5.5.1.3 Ensure password expiration warning days is
- #### 7 or more (Scored)
--
-+ - var_accounts_password_warn_age_login_defs=7
-+ - accounts_password_warn_age_login_defs
-
- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
-
- #### 5.5.1.5 Ensure all users last password change date is
- #### in the past (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
- ### 5.5.2 Ensure system accounts are secured (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
-
- ### 5.5.3 Ensure default user shell timeout is 900 seconds
- ### or less (Scored)
--
-+ - var_accounts_tmout=15_min
-+ - accounts_tmout
-
- ### 5.5.4 Ensure default group for the root account is
- ### GID 0 (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
--
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
-
- ## 5.6 Ensure root login is restricted to system console (Not Scored)
--
-+ - securetty_root_login_console_only
-+ - no_direct_root_logins
-
- ## 5.7 Ensure access to the su command is restricted (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
-
- # System Maintenance
-
-@@ -971,8 +978,58 @@ selections:
- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
- - no_legacy_plus_entries_etc_passwd
-
-- ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
-+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
- - no_legacy_plus_entries_etc_shadow
-
-- ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
-+ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
- - no_legacy_plus_entries_etc_group
-+
-+ ### 6.2.6 Ensure root is the only UID 0 account (Scored)
-+ - accounts_no_uid_except_zero
-+
-+ ### 6.2.7 Ensure users' home directories permissions are 750
-+ ### or more restrictive (Scored)
-+ - file_permissions_home_dirs
-+
-+ ### 6.2.8 Ensure users own their home directories (Scored)
-+ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
-+ - file_groupownership_home_directories
-+
-+ ### 6.2.9 Ensure users' dot files are not group or world
-+ ### writable (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
-+
-+ ### 6.2.10 Ensure no users have .forward files (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
-+
-+ ### 6.2.11 Ensure no users have .netrc files (Scored)
-+ - no_netrc_files
-+
-+ ### 6.2.12 Ensure users' .netrc Files are not group or
-+ ### world accessible (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
-+
-+ ### 6.2.13 Ensure no users have .rhosts files (Scored)
-+ - no_rsh_trust_files
-+
-+ ### 6.2.14 Ensure all groups in /etc/passwd exist in
-+ ### /etc/group (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
-+
-+ ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
-+
-+ ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
-+
-+ ### 6.2.17 Ensure no duplicate user names exist (Scored)
-+ - account_unique_name
-+
-+ ### 6.2.18 Ensure no duplicate group names exist (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
-+
-+ ### 6.2.19 Ensure shadow group is empty (Scored)
-+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
-+
-+ ### 6.2.20 Ensure all users' home directories exist (Scored)
-+ - accounts_user_interactive_home_directory_exists
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index feb31b0395..9e7bd35178 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -901,8 +901,6 @@ CCE-84270-8
- CCE-84271-6
- CCE-84272-4
- CCE-84273-2
--CCE-84274-0
--CCE-84275-7
- CCE-84276-5
- CCE-84277-3
- CCE-84278-1
-
-From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001
-From: Shawn Wells <shawn@shawndwells.io>
-Date: Sat, 25 Apr 2020 18:52:21 -0400
-Subject: [PATCH 02/20] misc cis8 updates
-
----
- .../accounts_users_home_files_ownership/rule.yml | 1 +
- .../logging/log_rotation/ensure_logrotate_activated/rule.yml | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
-index a9c73e46ac..8e225cdc64 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
-@@ -24,6 +24,7 @@ references:
- stigid@ol7: "020660"
- disa: "366"
- srg: SRG-OS-000480-GPOS-00227
-+ cis@rhel8: 6.2.8
- stigid@rhel7: "020660"
-
- ocil_clause: 'the user ownership is incorrect'
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-index 2c41a3b9ef..6e569edfa9 100644
---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
-@@ -35,7 +35,7 @@ references:
- cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
- iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
- cis-csc: 1,14,15,16,3,5,6
-- cis@rhel8: 4.3
-+ cis@rhel8: "4.3"
- anssi: NT28(R43),NT12(R18)
-
- ocil_clause: 'logrotate is not configured to run daily'
-
-From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 22:32:44 +0200
-Subject: [PATCH 03/20] Add auxiliary rule for dconf settings
-
----
- rhel8/profiles/cis.profile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 528f17d696..202db7f693 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -8,6 +8,8 @@ description: |-
- 09-30-2019.
-
- selections:
-+ # Necessary for dconf rules
-+ - dconf_db_up_to_date
-
- ### Partitioning
- - mount_option_home_nodev
-
-From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 22:43:20 +0200
-Subject: [PATCH 04/20] Update time synchonization rule selections
-
-In RHEL8, only chrony is available
----
- rhel8/profiles/cis.profile | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 202db7f693..762d4a04e3 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -256,10 +256,12 @@ selections:
- ### 2.2.1 Time Synchronization
-
- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
-- - service_chronyd_or_ntpd_enabled
-+ - package_chrony_installed
-
- #### 2.2.1.2 Ensure chrony is configured (Scored)
-- - chronyd_or_ntpd_specify_remote_server
-+ - service_chronyd_enabled
-+ - chronyd_specify_remote_server
-+ - chronyd_run_as_chrony_user
-
- ### 2.2.2 Ensure X Window System is not installed (Scored)
- - package_xorg-x11-server-common_removed
-
-From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 22:49:55 +0200
-Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects
-
-Fixes: #5234
-Fixes: #5235
----
- rhel8/profiles/cis.profile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 762d4a04e3..3a8e19259b 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -371,14 +371,14 @@ selections:
- - sysctl_net_ipv6_conf_all_accept_redirects
-
- #### net.ipv6.conf.defaults.accept_redirects = 0
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234
-+ - sysctl_net_ipv6_conf_default_accept_redirects
-
- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
- #### net.ipv4.conf.all.secure_redirects = 0
- - sysctl_net_ipv4_conf_all_secure_redirects
-
- #### net.ipv4.cof.default.secure_redirects = 0
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235
-+ - sysctl_net_ipv4_conf_default_secure_redirects
-
- ### 3.2.4 Ensure suspicious packets are logged (Scored)
- #### net.ipv4.conf.all.log_martians = 1
-
-From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:02:09 +0200
-Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS
-
-Fixes: #5509
----
- rhel8/profiles/cis.profile | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 3a8e19259b..a990de4565 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -606,7 +606,19 @@ selections:
-
- ### 4.1.9 Ensure discretionary access control permission modification
- ### events are collected (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
-+ - audit_rules_dac_modification_chmod
-+ - audit_rules_dac_modification_fchmod
-+ - audit_rules_dac_modification_fchmodat
-+ - audit_rules_dac_modification_chown
-+ - audit_rules_dac_modification_fchown
-+ - audit_rules_dac_modification_fchownat
-+ - audit_rules_dac_modification_lchown
-+ - audit_rules_dac_modification_setxattr
-+ - audit_rules_dac_modification_lsetxattr
-+ - audit_rules_dac_modification_fsetxattr
-+ - audit_rules_dac_modification_removexattr
-+ - audit_rules_dac_modification_lremovexattr
-+ - audit_rules_dac_modification_fremovexattr
-
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
- ### collected (Scored)
-
-From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:07:34 +0200
-Subject: [PATCH 07/20] Select rules for unsuccessful modification
-
-Fixes: #5510
----
- rhel8/profiles/cis.profile | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index a990de4565..db54d9ece5 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -622,7 +622,13 @@ selections:
-
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
- ### collected (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
-+ - audit_rules_unsuccessful_file_modification_creat
-+ - audit_rules_unsuccessful_file_modification_open
-+ - audit_rules_unsuccessful_file_modification_openat
-+ - audit_rules_unsuccessful_file_modification_truncate
-+ - audit_rules_unsuccessful_file_modification_ftruncate
-+ # Opinionated selection
-+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
-
- ### 4.1.11 Ensure events that modify user/group information are
- ### collected (Scored)
-
-From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:10:45 +0200
-Subject: [PATCH 08/20] Select rules for user/group modification
-
-Fixes: #5511
----
- rhel8/profiles/cis.profile | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index db54d9ece5..f8ec16b9a8 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -632,7 +632,11 @@ selections:
-
- ### 4.1.11 Ensure events that modify user/group information are
- ### collected (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
-+ - audit_rules_usergroup_modification_passwd
-+ - audit_rules_usergroup_modification_group
-+ - audit_rules_usergroup_modification_gshadow
-+ - audit_rules_usergroup_modification_shadow
-+ - audit_rules_usergroup_modification_opasswd
-
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
-
-From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:12:58 +0200
-Subject: [PATCH 09/20] Audit successful system mounts
-
-Fixes: #5512
----
- rhel8/profiles/cis.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index f8ec16b9a8..e4f5313e3e 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -639,7 +639,7 @@ selections:
- - audit_rules_usergroup_modification_opasswd
-
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
-+ - audit_rules_media_export
-
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
-
-From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:14:21 +0200
-Subject: [PATCH 10/20] Audit privileged commands
-
-Fixes: #5513
----
- rhel8/profiles/cis.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index e4f5313e3e..087dd79bb5 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -642,7 +642,7 @@ selections:
- - audit_rules_media_export
-
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
-+ - audit_rules_privileged_commands
-
- ### 4.1.14 Ensure file deletion events by users are collected
- ### (Scored)
-
-From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:15:49 +0200
-Subject: [PATCH 11/20] Audit file deletion events
-
-Fixes: #5514
----
- rhel8/profiles/cis.profile | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 087dd79bb5..ca42f24190 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -646,7 +646,12 @@ selections:
-
- ### 4.1.14 Ensure file deletion events by users are collected
- ### (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
-+ - audit_rules_file_deletion_events_unlink
-+ - audit_rules_file_deletion_events_unlinkat
-+ - audit_rules_file_deletion_events_rename
-+ - audit_rules_file_deletion_events_renameat
-+ # Opinionated selection
-+ - audit_rules_file_deletion_events_rmdir
-
- ### 4.1.15 Ensure kernel module loading and unloading is collected
- ### (Scored)
-
-From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:16:33 +0200
-Subject: [PATCH 12/20] Audit kernel module loads
-
-Fixes: #5515
----
- rhel8/profiles/cis.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index ca42f24190..5e214941ec 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -655,7 +655,7 @@ selections:
-
- ### 4.1.15 Ensure kernel module loading and unloading is collected
- ### (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
-+ - audit_rules_kernel_module_loading
-
- ### 4.1.16 Ensure system administrator actions (sudolog) are
- ### collected (Scored)
-
-From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:17:52 +0200
-Subject: [PATCH 13/20] Audit rules should be immutable
-
-Fixes: #5517
----
- rhel8/profiles/cis.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 5e214941ec..a0fdd69869 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -662,7 +662,7 @@ selections:
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
- ### 4.1.17 Ensure the audit configuration is immutable (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
-+ - audit_rules_immutable
-
- ## 4.2 Configure Logging
-
-
-From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:31:10 +0200
-Subject: [PATCH 14/20] Select rules for password requirements
-
-Related to: #5533
----
- rhel8/profiles/cis.profile | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index a0fdd69869..a55c3291a9 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -858,7 +858,12 @@ selections:
- ## 5.4 Configure PAM
-
- ### 5.4.1 Ensure password creation requirements are configured (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
-+ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
-+ - accounts_password_pam_retry
-+ - var_password_pam_minlen=14
-+ - accounts_password_pam_minlen
-+ - var_password_pam_minclass=4
-+ - accounts_password_pam_minclass
-
- ### 5.4.2 Ensure lockout for failed password attempts is
- ### configured (Scored)
-
-From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:35:50 +0200
-Subject: [PATCH 15/20] Configure password lockout
-
-Fixes: #5534
----
- rhel8/profiles/cis.profile | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index a55c3291a9..6e10c2efcb 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -867,7 +867,10 @@ selections:
-
- ### 5.4.2 Ensure lockout for failed password attempts is
- ### configured (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
-+ - var_accounts_passwords_pam_faillock_unlock_time=900
-+ - var_accounts_passwords_pam_faillock_deny=5
-+ - accounts_passwords_pam_faillock_unlock_time
-+ - accounts_passwords_pam_faillock_deny
-
- ### 5.4.3 Ensure password reuse is limited (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
-
-From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:38:58 +0200
-Subject: [PATCH 16/20] Configure password reuse
-
-Fixes: #5535
----
- rhel8/profiles/cis.profile | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 6e10c2efcb..2fa85d8676 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -873,7 +873,8 @@ selections:
- - accounts_passwords_pam_faillock_deny
-
- ### 5.4.3 Ensure password reuse is limited (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
-+ - var_password_pam_unix_remember=5
-+ - accounts_password_pam_unix_remember
-
- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
- - set_password_hashing_algorithm_systemauth
-
-From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:43:04 +0200
-Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting
-
-Related to: #5536
----
- rhel8/profiles/cis.profile | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 2fa85d8676..e0fd5e1492 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -898,7 +898,10 @@ selections:
- - accounts_password_warn_age_login_defs
-
- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
-+ # TODO: Rule doesn't check list of users
-+ # https://github.com/ComplianceAsCode/content/issues/5536
-+ - var_account_disable_post_pw_expiration=30
-+ - account_disable_post_pw_expiration
-
- #### 5.5.1.5 Ensure all users last password change date is
- #### in the past (Scored)
-
-From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:46:48 +0200
-Subject: [PATCH 18/20] No shelllogin for system accounts
-
-Fixes: #5538
----
- rhel8/profiles/cis.profile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index e0fd5e1492..0431fb0d45 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -908,7 +908,7 @@ selections:
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
- ### 5.5.2 Ensure system accounts are secured (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
-+ - no_shelllogin_for_systemaccounts
-
- ### 5.5.3 Ensure default user shell timeout is 900 seconds
- ### or less (Scored)
-
-From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 23:54:07 +0200
-Subject: [PATCH 19/20] Partially cover umask requirements
-
-Related to: #5540
----
- rhel8/profiles/cis.profile | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
-index 0431fb0d45..f332ee5462 100644
---- a/rhel8/profiles/cis.profile
-+++ b/rhel8/profiles/cis.profile
-@@ -920,7 +920,9 @@ selections:
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
-- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
-+ - var_accounts_user_umask=027
-+ - accounts_umask_etc_bashrc
-+ - accounts_umask_etc_profile
-
- ## 5.6 Ensure root login is restricted to system console (Not Scored)
- - securetty_root_login_console_only
-
-From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 19 May 2020 22:31:16 +0200
-Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and
- OCIL
-
----
- .../account_unique_name/rule.yml | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-index 35652a410b..909f1b6657 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
-@@ -3,14 +3,13 @@ documentation_complete: true
- title: 'Ensure All Accounts on the System Have Unique Names'
-
- description: |-
-- Although the <tt>useradd</tt> utility prevents creation of duplicate user
-- names, it is possible for a malicious administrator to manually edit the
-- <tt>/etc/passwd</tt> file and change the user name.
-+ Ensure accounts on the system have unique names.
-
--rationale: |-
-- If a user is assigned a duplicate user name, the new user will be able to
-- create and have access to files with the first UID for that username as
-- defined in <tt>/etc/passwd</tt>.
-+ To ensure all accounts have unique names, run the following command:
-+ <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre>
-+ If a username is returned, change or delete the username.
-+
-+rationale: 'Unique usernames allow for accountability on the system.'
-
- severity: medium
-
-@@ -30,6 +29,6 @@ references:
- ocil_clause: 'a line is returned'
-
- ocil: |-
-- Run the following command to check for duplicate account names:
-- <pre>$ sudo pwck -qr</pre>
-- If there are no duplicate names, no line will be returned.
-+ To verify all accounts have unique names, run the following command:
-+ <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre>
-+ No output should be returned.
diff --git a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch
deleted file mode 100644
index 801edff..0000000
--- a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 28 Jul 2020 13:22:58 +0200
-Subject: [PATCH 1/2] update wording for rhel7 profile
-
----
- rhel7/profiles/hipaa.profile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
-index 4310561323..000441de52 100644
---- a/rhel7/profiles/hipaa.profile
-+++ b/rhel7/profiles/hipaa.profile
-@@ -12,6 +12,7 @@ description: |-
-
- This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
- Rule identified for securing of electronic protected health information.
-+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
-
- selections:
- - grub2_password
-
-From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 28 Jul 2020 13:23:18 +0200
-Subject: [PATCH 2/2] update wording for rhel8 profile
-
----
- rhel8/profiles/hipaa.profile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
-index 8d20f9019c..0cb7fbed1f 100644
---- a/rhel8/profiles/hipaa.profile
-+++ b/rhel8/profiles/hipaa.profile
-@@ -12,6 +12,7 @@ description: |-
-
- This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
- Rule identified for securing of electronic protected health information.
-+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
-
- selections:
- - grub2_password
diff --git a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
deleted file mode 100644
index 36b46ee..0000000
--- a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 17 Aug 2020 10:59:15 +0200
-Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds
-
-These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5.
-In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not
-necessary anymore.
----
- tests/run_scapval.py | 26 --------------------------
- 1 file changed, 26 deletions(-)
-
-diff --git a/tests/run_scapval.py b/tests/run_scapval.py
-index e1dd806ca1..bc2655b9fd 100755
---- a/tests/run_scapval.py
-+++ b/tests/run_scapval.py
-@@ -46,35 +46,9 @@ def process_results(result_path):
- return ret_val
-
-
--def workaround_datastream(datastream_path):
-- tree = ET.parse(datastream_path)
-- root = tree.getroot()
-- # group_id and user_id cannot be zero
-- # tracked at https://github.com/OVAL-Community/OVAL/issues/23
-- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns):
-- if group_id_element.text is not None:
-- group_id_element.text = "-1"
-- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns):
-- if user_id_element.text is not None:
-- user_id_element.text = "-1"
-- # OCIL checks for security_patches_up_to_date is causing fail
-- # of SRC-377, when requirement is about OVAL checks.
-- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date"
-- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)):
-- for check in rule.findall("{%s}check" % xccdf_ns):
-- system = check.get("system")
-- if system == "http://scap.nist.gov/schema/ocil/2":
-- rule.remove(check)
-- output_path = datastream_path + ".workaround.xml"
-- tree.write(output_path)
-- return output_path
--
--
- def test_datastream(datastream_path, scapval_path, scap_version):
- result_path = datastream_path + ".result.xml"
- report_path = datastream_path + ".report.html"
-- if scap_version == "1.3":
-- datastream_path = workaround_datastream(datastream_path)
- scapval_command = [
- "java",
- "-Xmx1024m",
diff --git a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
deleted file mode 100644
index 4f0e114..0000000
--- a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
+++ /dev/null
@@ -1,408 +0,0 @@
-From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 8 Jul 2020 17:37:50 +0200
-Subject: [PATCH 1/9] create rule, check, bash remediation
-
----
- .../bash/shared.sh | 9 +++++
- .../oval/shared.xml | 1 +
- .../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++
- shared/references/cce-redhat-avail.txt | 2 --
- 4 files changed, 43 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
-new file mode 100644
-index 0000000000..9838a13c95
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
-@@ -0,0 +1,9 @@
-+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
-+
-+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
-+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
-+
-+#blank line at the begining to ease later readibility
-+echo '' > "$file"
-+echo "$cp" >> "$file"
-+update-crypto-policies
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
-new file mode 100644
-index 0000000000..09199ce4da
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
-@@ -0,0 +1 @@
-+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-new file mode 100644
-index 0000000000..afbdb36a23
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-@@ -0,0 +1,32 @@
-+documentation_complete: true
-+
-+prodtype: rhel8
-+
-+title: 'Harden OpenSSL Crypto Policy'
-+
-+description: |-
-+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
-+ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
-+ This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
-+ Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
-+
-+rationale: |-
-+ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
-+
-+severity: medium
-+
-+identifiers:
-+ cce@rhel8: 84286-4
-+
-+references:
-+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
-+ ospp : FCS_SSHS_EXT.1
-+ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
-+
-+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
-+
-+ocil: |-
-+ To verify if the OpenSSL uses defined Crypto Policy, run:
-+ <pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
-+ and verify that the line matches
-+ <pre>84285-6</pre>
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index afc0d80417..01b321b6d5 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -904,8 +904,6 @@ CCE-84281-5
- CCE-84282-3
- CCE-84283-1
- CCE-84284-9
--CCE-84285-6
--CCE-84286-4
- CCE-84287-2
- CCE-84288-0
- CCE-84289-8
-
-From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 8 Jul 2020 17:38:32 +0200
-Subject: [PATCH 2/9] add tests
-
----
- .../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++
- .../tests/correct_commented.fail.sh | 7 +++++++
- .../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++
- .../tests/empty_policy.fail.sh | 7 +++++++
- .../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++
- .../tests/incorrect_policy.fail.sh | 7 +++++++
- .../tests/missing_file.fail.sh | 7 +++++++
- 7 files changed, 51 insertions(+)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..9e59b30bd2
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
-new file mode 100644
-index 0000000000..91863849b3
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
-new file mode 100644
-index 0000000000..f44957d3e1
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
-new file mode 100644
-index 0000000000..5b14fe8ef4
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "Ciphersuites=" > "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
-new file mode 100644
-index 0000000000..6be3bb2ffa
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
-new file mode 100644
-index 0000000000..b4fd0f97be
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
-new file mode 100644
-index 0000000000..2d11d227cb
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
-+
-+rm -f "$configfile"
-
-From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 9 Jul 2020 09:05:38 +0200
-Subject: [PATCH 3/9] remove blank line from remediation
-
----
- .../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
-index 9838a13c95..be6f84f83d 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
-@@ -3,7 +3,6 @@
- cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
- file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
-
--#blank line at the begining to ease later readibility
--echo '' > "$file"
-+
- echo "$cp" >> "$file"
- update-crypto-policies
-
-From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 9 Jul 2020 09:06:02 +0200
-Subject: [PATCH 4/9] fix separator regex in oval
-
----
- .../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
-index 09199ce4da..37be62ee39 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
-@@ -1 +1 @@
--{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
-+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}}
-
-From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 9 Jul 2020 09:06:29 +0200
-Subject: [PATCH 5/9] reformat rule, fix wrong ocil
-
----
- .../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++-----
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-index afbdb36a23..d019d6cd32 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-@@ -5,13 +5,23 @@ prodtype: rhel8
- title: 'Harden OpenSSL Crypto Policy'
-
- description: |-
-- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
-- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
-- This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
-- Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
-+ Crypto Policies are means of enforcing certain cryptographic settings for
-+ selected applications including OpenSSL. OPenSSL is by default configured to
-+ modify its configuration based on currently configured Crypto-Policy.
-+ However, in certain cases it might be needed to override the Crypto Policy
-+ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
-+ be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
-+ <tt>xxx</tt> with arbitrary identifier, into
-+ <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
-+ <tt>update-crypto-policies</tt> so that changes are applied. Changes are
-+ propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.
-+ This rule checks if this file contains predefined <tt>Ciphersuites</tt>
-+ variable configured with predefined value.
-
- rationale: |-
-- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
-+ The Common Criteria requirements specify that certain parameters for OpenSSL
-+ are configured e.g. cipher suites. Currently particular requirements
-+ specified by CC are stricter compared to any existing Crypto Policy.
-
- severity: medium
-
-@@ -30,4 +40,4 @@ ocil: |-
- To verify if the OpenSSL uses defined Crypto Policy, run:
- <pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
- and verify that the line matches
-- <pre>84285-6</pre>
-+ <pre>Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</pre>
-
-From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 13 Jul 2020 09:49:34 +0200
-Subject: [PATCH 6/9] update references
-
----
- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-index d019d6cd32..075e381906 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-@@ -31,8 +31,8 @@ identifiers:
-
- references:
- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
-- ospp : FCS_SSHS_EXT.1
-- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
-+ ospp: FCS_TLSC_EXT.1.1
-+ srg: SRG-OS-000250-GPOS-00093
-
- ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
-
-
-From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 13 Jul 2020 09:49:48 +0200
-Subject: [PATCH 7/9] add ansible remediation
-
----
- .../ansible/shared.yml | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
- create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
-new file mode 100644
-index 0000000000..d5c2c2b9f7
---- /dev/null
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
-@@ -0,0 +1,16 @@
-+# platform = Red Hat Enterprise Linux 8
-+# reboot = true
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-+
-+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config"
-+ lineinfile:
-+ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config"
-+ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
-+ create: yes
-+ insertafter: EOF
-+
-+- name: "Update system crypto policy for changes to take effect"
-+ command:
-+ cmd: "update-crypto-policies"
-
-From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001
-From: vojtapolasek <krecoun@gmail.com>
-Date: Wed, 15 Jul 2020 09:26:11 +0200
-Subject: [PATCH 8/9] fix typos
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Jan Černý <jcerny@redhat.com>
----
- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-index 075e381906..ce0351aa34 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy'
-
- description: |-
- Crypto Policies are means of enforcing certain cryptographic settings for
-- selected applications including OpenSSL. OPenSSL is by default configured to
-- modify its configuration based on currently configured Crypto-Policy.
-+ selected applications including OpenSSL. OpenSSL is by default configured to
-+ modify its configuration based on currently configured Crypto Policy.
- However, in certain cases it might be needed to override the Crypto Policy
-- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
-+ specific to OpenSSL and leave rest of the Crypto Policy intact. This can
- be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
- <tt>xxx</tt> with arbitrary identifier, into
- <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
-
-From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 15 Jul 2020 09:36:06 +0200
-Subject: [PATCH 9/9] update rule references
-
----
- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-index ce0351aa34..0cbead2a6d 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
-@@ -30,8 +30,8 @@ identifiers:
-
- references:
-- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
-+ nist: SC-8(1),SC-13
- ospp: FCS_TLSC_EXT.1.1
-- srg: SRG-OS-000250-GPOS-00093
-+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
-
- ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
-
diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
deleted file mode 100644
index 88f8237..0000000
--- a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 17 Aug 2020 15:56:40 +0200
-Subject: [PATCH] Add a missing Crypto Policy rule to OSPP.
-
-The rule fell out by mistake, this addition complements #4682
----
- rhel8/profiles/ospp.profile | 1 +
- tests/data/profile_stability/rhel8/ospp.profile | 1 +
- tests/data/profile_stability/rhel8/stig.profile | 5 +++--
- 3 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
-index 5b5b5b711a..a651885eef 100644
---- a/rhel8/profiles/ospp.profile
-+++ b/rhel8/profiles/ospp.profile
-@@ -235,6 +235,7 @@ selections:
- - enable_fips_mode
- - var_system_crypto_policy=fips_ospp
- - configure_crypto_policy
-+ - configure_ssh_crypto_policy
- - configure_bind_crypto_policy
- - configure_openssl_crypto_policy
- - configure_libreswan_crypto_policy
-diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
-index 5aa3592496..13c4e6b08d 100644
---- a/tests/data/profile_stability/rhel8/ospp.profile
-+++ b/tests/data/profile_stability/rhel8/ospp.profile
-@@ -62,6 +62,7 @@ selections:
- - configure_kerberos_crypto_policy
- - configure_libreswan_crypto_policy
- - configure_openssl_crypto_policy
-+- configure_ssh_crypto_policy
- - configure_tmux_lock_after_time
- - configure_tmux_lock_command
- - configure_usbguard_auditbackend
-diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
-index 9b164eb5c2..c7fe02169a 100644
---- a/tests/data/profile_stability/rhel8/stig.profile
-+++ b/tests/data/profile_stability/rhel8/stig.profile
-@@ -77,6 +77,7 @@ selections:
- - configure_kerberos_crypto_policy
- - configure_libreswan_crypto_policy
- - configure_openssl_crypto_policy
-+- configure_ssh_crypto_policy
- - configure_tmux_lock_after_time
- - configure_tmux_lock_command
- - configure_usbguard_auditbackend
diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
deleted file mode 100644
index c469fe6..0000000
--- a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 18 Aug 2020 13:55:12 +0200
-Subject: [PATCH] Added SRG to configure_ssh_crypto_policy
-
-https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935
----
- .../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-index e2dd99dbb5..51788a3226 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
-@@ -24,6 +24,7 @@ identifiers:
- references:
- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
- cis@rhel8: 5.2.20
-+ srg: SRG-OS-000250-GPOS-00093
-
- ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
-
diff --git a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch
deleted file mode 100644
index e734ce1..0000000
--- a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 7 Jul 2020 11:31:59 +0200
-Subject: [PATCH 1/3] modify rule description and ocil
-
----
- .../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
-index 765fca583e..1667557740 100644
---- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
-@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
-
- description: |-
- Device files, which are used for communication with important system
-- resources, should be labeled with proper SELinux types. If any device
-- files do not carry the SELinux type <tt>device_t</tt>, report the bug so
-- that policy can be corrected. Supply information about what the device is
-- and what programs use it.
-+ resources, should be labeled with proper SELinux types. If any device files
-+ carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
-+ bug so that policy can be corrected. Supply information about what the
-+ device is and what programs use it.
- <br /><br />
-- To check for unlabeled device files, run the following command:
-+ To check for incorrectly labeled device files, run following commands:
- <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
-+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
- It should produce no output in a well-configured system.
-
- rationale: |-
-- If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
-- cannot properly restrict access to the device file.
-+ If a device file carries the SELinux type <tt>device_t</tt> or
-+ <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
-+ device file.
-
- severity: medium
-
-@@ -45,8 +47,9 @@ references:
- ocil_clause: 'there is output'
-
- ocil: |-
-- To check for unlabeled device files, run the following command:
-+ To check for incorrectly labeled device files, run following commands:
- <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
-+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
- It should produce no output in a well-configured system.
-
- warnings:
-
-From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 7 Jul 2020 11:32:57 +0200
-Subject: [PATCH 2/3] updated oval to check only device files
-
----
- .../oval/shared.xml | 64 +++++++++++++------
- 1 file changed, 43 insertions(+), 21 deletions(-)
-
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-index 51b68008af..7dcfb98577 100644
---- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-@@ -2,32 +2,54 @@
- <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
- <metadata>
- <title>Device Files Have Proper SELinux Context</title>
-- <affected family="unix">
-- <platform>Red Hat Enterprise Linux 6</platform>
-- <platform>Red Hat Enterprise Linux 7</platform>
-- <platform>Red Hat Enterprise Linux 8</platform>
-- <platform>Red Hat Virtualization 4</platform>
-- <platform>multi_platform_fedora</platform>
-- <platform>multi_platform_ol</platform>
-- <platform>multi_platform_wrlinux</platform>
-- </affected>
-- <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
-+ {{{- oval_affected(products) }}}
-+ <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
- </metadata>
-- <criteria>
-- <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
-+ <criteria operator="AND">
-+ <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
-+ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
- </criteria>
- </definition>
-- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
-- <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
-- <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
-+
-+ <!-- collect all special files from /dev directory -->
-+ <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
-+ <unix:behaviors recurse_direction="down" />
-+ <unix:path operation="equals">/dev</unix:path>
-+ <unix:filename operation="pattern match">^.*$</unix:filename>
-+ <filter action="include">state_block_or_char_device_file</filter>
-+ </unix:file_object>
-+
-+ <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
-+ <unix:type operation="pattern match">^(block|character) special$</unix:type>
-+ </unix:file_state>
-+
-+ <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
-+ <object_component object_ref="object_dev_device_files" item_field="filepath" />
-+ </local_variable>
-+
-+
-+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
-+ <linux:object object_ref="object_selinux_dev_device_t" />
-+ <linux:state state_ref="state_selinux_dev_device_t" />
- </linux:selinuxsecuritycontext_test>
-- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
-- <linux:behaviors recurse_direction="down" />
-- <linux:path>/dev</linux:path>
-- <linux:filename operation="pattern match">^.*$</linux:filename>
-- <filter action="include">state_selinux_all_devicefiles_labeled</filter>
-+ <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
-+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
-+ <filter action="include">state_selinux_dev_device_t</filter>
- </linux:selinuxsecuritycontext_object>
-- <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
-+ <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
- <linux:type datatype="string" operation="equals">device_t</linux:type>
- </linux:selinuxsecuritycontext_state>
-+
-+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
-+ <linux:object object_ref="object_selinux_dev_unlabeled_t" />
-+ <linux:state state_ref="state_selinux_dev_unlabeled_t" />
-+ </linux:selinuxsecuritycontext_test>
-+ <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
-+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
-+ <filter action="include">state_selinux_dev_unlabeled_t</filter>
-+ </linux:selinuxsecuritycontext_object>
-+ <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
-+ <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
-+ </linux:selinuxsecuritycontext_state>
-+
- </def-group>
-
-From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 7 Jul 2020 11:33:26 +0200
-Subject: [PATCH 3/3] add tests
-
----
- .../tests/block_device_device_t.fail.sh | 4 ++++
- .../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++
- .../tests/regular_file_device_t.pass.sh | 4 ++++
- .../tests/symlink_with_wrong_label.pass.sh | 4 ++++
- 4 files changed, 26 insertions(+)
- create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
- create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
- create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
- create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
-
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
-new file mode 100644
-index 0000000000..08c4142e5b
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+mknod /dev/foo b 1 5
-+chcon -t device_t /dev/foo
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
-new file mode 100644
-index 0000000000..1da85c2034
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
-@@ -0,0 +1,14 @@
-+#!/bin/bash
-+
-+# selinux does not allow unlabeled_t in /dev
-+# we have to modify the selinux policy to allow that
-+
-+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
-+semodule -i /tmp/unlabeled_t.cil
-+
-+mknod /dev/foo c 1 5
-+chcon -t unlabeled_t /dev/foo
-+
-+
-+mknod /dev/foo c 1 5
-+chcon -t device_t /dev/foo
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
-new file mode 100644
-index 0000000000..d161951d7a
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+touch /dev/foo
-+restorecon -F /dev/foo
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
-new file mode 100644
-index 0000000000..a8280bf37e
---- /dev/null
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+
-+ln -s /dev/cpu /dev/foo
-+restorecon -F /dev/foo
diff --git a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
deleted file mode 100644
index 927acb5..0000000
--- a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 2 Sep 2020 10:01:45 +0200
-Subject: [PATCH] add CUI kickstart for rhel8
-
----
- rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
- 1 file changed, 167 insertions(+)
- create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
-
-diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
-new file mode 100644
-index 0000000000..0957fded96
---- /dev/null
-+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
-@@ -0,0 +1,167 @@
-+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
-+#
-+# Based on:
-+# http://fedoraproject.org/wiki/Anaconda/Kickstart
-+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-+
-+# Install a fresh new system (optional)
-+install
-+
-+# Specify installation method to use for installation
-+# To use a different one comment out the 'url' one below, update
-+# the selected choice with proper options & un-comment it
-+#
-+# Install from an installation tree on a remote server via FTP or HTTP:
-+# --url the URL to install from
-+#
-+# Example:
-+#
-+# url --url=http://192.168.122.1/image
-+#
-+# Modify concrete URL in the above example appropriately to reflect the actual
-+# environment machine is to be installed in
-+#
-+# Other possible / supported installation methods:
-+# * install from the first CD-ROM/DVD drive on the system:
-+#
-+# cdrom
-+#
-+# * install from a directory of ISO images on a local drive:
-+#
-+# harddrive --partition=hdb2 --dir=/tmp/install-tree
-+#
-+# * install from provided NFS server:
-+#
-+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
-+#
-+# Set language to use during installation and the default language to use on the installed system (required)
-+lang en_US.UTF-8
-+
-+# Set system keyboard type / layout (required)
-+keyboard us
-+
-+# Configure network information for target system and activate network devices in the installer environment (optional)
-+# --onboot enable device at a boot time
-+# --device device to be activated and / or configured with the network command
-+# --bootproto method to obtain networking configuration for device (default dhcp)
-+# --noipv6 disable IPv6 on this device
-+#
-+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
-+# "--bootproto=static" must be used. For example:
-+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
-+#
-+network --onboot yes --bootproto dhcp
-+
-+# Set the system's root password (required)
-+# Plaintext password is: server
-+# Refer to e.g.
-+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-+
-+# The selected profile will restrict root login
-+# Add a user that can login and escalate privileges
-+# Plaintext password is: admin123
-+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-+
-+# Configure firewall settings for the system (optional)
-+# --enabled reject incoming connections that are not in response to outbound requests
-+# --ssh allow sshd service through the firewall
-+firewall --enabled --ssh
-+
-+# Set up the authentication options for the system (required)
-+# --enableshadow enable shadowed passwords by default
-+# --passalgo hash / crypt algorithm for new passwords
-+# See the manual page for authconfig for a complete list of possible options.
-+authconfig --enableshadow --passalgo=sha512
-+
-+# State of SELinux on the installed system (optional)
-+# Defaults to enforcing
-+selinux --enforcing
-+
-+# Set the system time zone (required)
-+timezone --utc America/New_York
-+
-+# Specify how the bootloader should be installed (required)
-+# Refer to e.g.
-+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-+# to see how to create encrypted password form for different plaintext password
-+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
-+
-+# Initialize (format) all disks (optional)
-+zerombr
-+
-+# The following partition layout scheme assumes disk of size 20GB or larger
-+# Modify size of partitions appropriately to reflect actual machine's hardware
-+#
-+# Remove Linux partitions from the system prior to creating new ones (optional)
-+# --linux erase all Linux partitions
-+# --initlabel initialize the disk label to the default based on the underlying architecture
-+clearpart --linux --initlabel
-+
-+# Create primary system partitions (required for installs)
-+part /boot --fstype=xfs --size=512
-+part pv.01 --grow --size=1
-+
-+# Create a Logical Volume Management (LVM) group (optional)
-+volgroup VolGroup --pesize=4096 pv.01
-+
-+# Create particular logical volumes (optional)
-+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
-+# Ensure /home Located On Separate Partition
-+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-+# Ensure /tmp Located On Separate Partition
-+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/tmp Located On Separate Partition
-+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var Located On Separate Partition
-+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
-+# Ensure /var/log Located On Separate Partition
-+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-+# Ensure /var/log/audit Located On Separate Partition
-+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-+logvol swap --name=swap --vgname=VolGroup --size=2016
-+
-+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-+# content - security policies - on the installed system.This add-on has been enabled by default
-+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
-+# functionality will automatically be installed. However, by default, no policies are enforced,
-+# meaning that no checks are performed during or after installation unless specifically configured.
-+#
-+# Important
-+# Applying a security policy is not necessary on all systems. This screen should only be used
-+# when a specific policy is mandated by your organization rules or government regulations.
-+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
-+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-+# Values can be optionally enclosed in single quotes (') or double quotes (").
-+#
-+# The following keys are recognized by the add-on:
-+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
-+# - If the content-type is scap-security-guide, the add-on will use content provided by the
-+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
-+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
-+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
-+# xccdf-id - ID of the benchmark you want to use.
-+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
-+# profile - ID of the profile to be applied. Use default to apply the default profile.
-+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
-+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
-+#
-+# The following is an example %addon org_fedora_oscap section which uses content from the
-+# scap-security-guide on the installation media:
-+%addon org_fedora_oscap
-+ content-type = scap-security-guide
-+ profile = xccdf_org.ssgproject.content_profile_cui
-+%end
-+
-+# Packages selection (%packages section is required)
-+%packages
-+
-+# Require @Base
-+@Base
-+
-+%end # End of %packages section
-+
-+# Reboot after the installation is complete (optional)
-+# --eject attempt to eject CD or DVD media before rebooting
-+reboot --eject
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index e098e0d..bb7a7bd 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
-Version: 0.1.50
-Release: 14%{?dist}
+Version: 0.1.53
+Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -8,33 +8,6 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
-Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
-Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
-Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
-Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
-Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
-# Patch6 already contains typo fix
-Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
-Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
-Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
-Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
-Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
-Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
-Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
-Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
-Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
-Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch
-Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
-Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
-Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
-Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
-Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
-Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
-Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch
-Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
-Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
-Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
-Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
BuildArch: noarch
@@ -70,32 +43,6 @@ present in %{name} package.
%prep
%setup -q
%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
mkdir build
%build
@@ -130,6 +77,12 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
+- Update list of profiles built (RHBZ#1889344)
+
+* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
+- Update to the latest upstream release (RHBZ#1889344)
+
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)