diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
new file mode 100644
index 0000000..d7fab70
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
@@ -0,0 +1,737 @@
+From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 23 Jun 2020 22:27:47 +0200
+Subject: [PATCH 1/5] Add check for zipl installed
+
+Based and valid in RHEL, where zipl is part of s390utils-base.
+---
+ rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++
+ .../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++
+ ssg/constants.py | 1 +
+ 3 files changed, 42 insertions(+)
+ create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml
+
+diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
+index 694cbb5a4e..cccb3c5791 100644
+--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
+@@ -67,4 +67,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml
+new file mode 100644
+index 0000000000..ab6545669d
+--- /dev/null
++++ b/shared/checks/oval/installed_env_has_zipl_package.xml
+@@ -0,0 +1,37 @@
++<def-group>
++ <definition class="inventory"
++ id="installed_env_has_zipl_package" version="1">
++ <metadata>
++ <title>System uses zIPL</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>Checks if system uses zIPL bootloader.</description>
++ <reference ref_id="cpe:/a:zipl" source="CPE" />
++ </metadata>
++ <criteria>
++ <criterion comment="Package s390utils-base is installed" test_ref="test_env_has_zipl_installed" />
++ </criteria>
++ </definition>
++
++{{% if pkg_system == "rpm" %}}
++ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
++ id="test_env_has_zipl_installed" version="1"
++ comment="system has package zipl installed">
++ <linux:object object_ref="obj_env_has_zipl_installed" />
++ </linux:rpminfo_test>
++ <linux:rpminfo_object id="obj_env_has_zipl_installed" version="1">
++ <linux:name>s390utils-base</linux:name>
++ </linux:rpminfo_object>
++{{% elif pkg_system == "dpkg" %}}
++ <linux:dpkginfo_test check="all" check_existence="all_exist"
++ id="test_env_has_zipl_installed" version="1"
++ comment="system has package zipl installed">
++ <linux:object object_ref="obj_env_has_zipl_installed" />
++ </linux:dpkginfo_test>
++ <linux:dpkginfo_object id="obj_env_has_zipl_installed" version="1">
++ <linux:name>s390utils-base</linux:name>
++ </linux:dpkginfo_object>
++{{% endif %}}
++
++</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index fb20fe8107..f03aa87f09 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -506,6 +506,7 @@
+ "sssd": "cpe:/a:sssd",
+ "systemd": "cpe:/a:systemd",
+ "yum": "cpe:/a:yum",
++ "zipl": "cpe:/a:zipl",
+ }
+
+ # _version_name_map = {
+
+From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 23 Jun 2020 22:33:07 +0200
+Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content
+
+Add zipl platform to bootloader-zipl and machine platform to all zipl
+rules.
+Final applicability of zipl rules is equivalent to "machine and zipl"
+CPE platform.
+---
+ linux_os/guide/system/bootloader-zipl/group.yml | 2 +-
+ .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++
+ .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++
+ .../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++
+ .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++
+ .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++
+ .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++
+ 8 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
+index 36da84530c..64c6c8dffb 100644
+--- a/linux_os/guide/system/bootloader-zipl/group.yml
++++ b/linux_os/guide/system/bootloader-zipl/group.yml
+@@ -8,4 +8,4 @@ description: |-
+ options to it.
+ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
+
+-platform: machine
++platform: zipl
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 16c0b3f89a..2d31ef8ee7 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -38,3 +38,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 47a532d50f..40db232257 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -39,3 +39,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index 5aa91c16aa..8d28d5495f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -35,3 +35,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 8546325752..0a8e9a41e2 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -39,3 +39,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index eaef25ce40..20c1448cc8 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -38,3 +38,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 68e91a92d6..54ac688ea0 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -39,3 +39,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 9624b43349..c5979a2016 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -36,3 +36,5 @@ ocil: |-
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
++
++platform: machine
+
+From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 23 Jun 2020 23:02:44 +0200
+Subject: [PATCH 3/5] Add check for grub2 installed
+
+Apply new CPE grub2 to bootloader-grub2 group.
+---
+ .../file_groupowner_efi_grub2_cfg/rule.yml | 2 +
+ .../file_groupowner_grub2_cfg/rule.yml | 2 +
+ .../file_owner_efi_grub2_cfg/rule.yml | 2 +
+ .../file_owner_grub2_cfg/rule.yml | 2 +
+ .../guide/system/bootloader-grub2/group.yml | 2 +-
+ .../grub2_admin_username/rule.yml | 2 +
+ .../grub2_enable_iommu_force/rule.yml | 2 +
+ .../grub2_no_removeable_media/rule.yml | 2 +
+ .../bootloader-grub2/grub2_password/rule.yml | 2 +
+ .../grub2_uefi_admin_username/rule.yml | 2 +
+ .../grub2_uefi_password/rule.yml | 2 +
+ .../uefi_no_removeable_media/rule.yml | 2 +
+ .../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++
+ ssg/constants.py | 1 +
+ 14 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml
+
+diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
+index b5b583bd28..a6ac6f7b6b 100644
+--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
+@@ -51,6 +51,8 @@ ocil: |-
+ {{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}}
+ {{%- endif %}}
+
++platform: machine
++
+ template:
+ name: file_groupowner
+ vars:
+diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
+index 9d89ff5755..93dbf5222d 100644
+--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
+@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou
+
+ ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}'
+
++platform: machine
++
+ template:
+ name: file_groupowner
+ vars:
+diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
+index ed17987478..e2c118cf0a 100644
+--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
+@@ -49,6 +49,8 @@ ocil: |-
+ {{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}}
+ {{%- endif %}}
+
++platform: machine
++
+ template:
+ name: file_owner
+ vars:
+diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
+index 9ce4c3d60b..5086553921 100644
+--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
+@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo
+
+ ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}'
+
++platform: machine
++
+ template:
+ name: file_owner
+ vars:
+diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
+index 69489bc0c2..4ffb40c0e8 100644
+--- a/linux_os/guide/system/bootloader-grub2/group.yml
++++ b/linux_os/guide/system/bootloader-grub2/group.yml
+@@ -15,4 +15,4 @@ description: |-
+ with a password and ensure its configuration file's permissions
+ are set properly.
+
+-platform: machine
++platform: grub2
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+index 63a6a7a83c..15db01a75f 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+@@ -68,3 +68,5 @@ warnings:
+
+ Also, do NOT manually add the superuser account and password to the
+ <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+index baade9c13e..d4f455e66a 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+@@ -17,3 +17,5 @@ identifiers:
+
+ references:
+ anssi: NT28(R11)
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
+index 113726d34f..c8956c2f34 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
+@@ -37,3 +37,5 @@ ocil: |-
+ <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
+ media which should not exist in the line:
+ <pre>set root='hd0,msdos1'</pre>
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+index 985b8727d7..b6e9774608 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+@@ -72,3 +72,5 @@ warnings:
+
+ Also, do NOT manually add the superuser account and password to the
+ <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+index 1926837db7..5abd86b9d9 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+@@ -75,3 +75,5 @@ warnings:
+
+ Also, do NOT manually add the superuser account and password to the
+ <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+index 3ce5a2df13..3114d2d27c 100644
+--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+@@ -73,3 +73,5 @@ warnings:
+
+ Also, do NOT manually add the superuser account and password to the
+ <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
+index c94185f3f4..5de05c057a 100644
+--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
++++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
+@@ -35,3 +35,5 @@ ocil: |-
+ <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
+ media which should not exist in the line:
+ <pre>set root='hd0,msdos1'</pre>
++
++platform: machine
+diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
+new file mode 100644
+index 0000000000..e83f45bc3b
+--- /dev/null
++++ b/shared/checks/oval/installed_env_has_grub2_package.xml
+@@ -0,0 +1,37 @@
++<def-group>
++ <definition class="inventory"
++ id="installed_env_has_grub2_package" version="1">
++ <metadata>
++ <title>Package grub2 is installed</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>Checks if package grub2-pc is installed.</description>
++ <reference ref_id="cpe:/a:grub2" source="CPE" />
++ </metadata>
++ <criteria>
++ <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
++ </criteria>
++ </definition>
++
++{{% if pkg_system == "rpm" %}}
++ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
++ id="test_env_has_grub2_installed" version="1"
++ comment="system has package grub2-pc installed">
++ <linux:object object_ref="obj_env_has_grub2_installed" />
++ </linux:rpminfo_test>
++ <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
++ <linux:name>grub2-pc</linux:name>
++ </linux:rpminfo_object>
++{{% elif pkg_system == "dpkg" %}}
++ <linux:dpkginfo_test check="all" check_existence="all_exist"
++ id="test_env_has_grub2_installed" version="1"
++ comment="system has package grub2-pc installed">
++ <linux:object object_ref="obj_env_has_grub2_installed" />
++ </linux:dpkginfo_test>
++ <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
++ <linux:name>grub2-pc</linux:name>
++ </linux:dpkginfo_object>
++{{% endif %}}
++
++</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f03aa87f09..318763b219 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -498,6 +498,7 @@
+ "container": "cpe:/a:container",
+ "chrony": "cpe:/a:chrony",
+ "gdm": "cpe:/a:gdm",
++ "grub2": "cpe:/a:grub2",
+ "libuser": "cpe:/a:libuser",
+ "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
+ "ntp": "cpe:/a:ntp",
+
+From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 2 Jul 2020 16:58:14 +0200
+Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform
+
+It should have both platforms machine and grub2.
+But as the parent group is very broad, I cannot put parent group as
+machine.
+
+As a side effect this change makes this rules applicable in containers.
+---
+ .../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
+index 3080470aa8..44ea1aa49a 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
+@@ -48,4 +48,4 @@ ocil: |-
+ Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
+ that interactive boot is enabled at boot time.
+
+-platform: machine
++platform: grub2
+
+From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 23 Jun 2020 23:20:18 +0200
+Subject: [PATCH 5/5] Update CPE Dictionaries
+
+Again, whenever a package CPE is added, all CPE dictionaries need to be
+updated.
+Because the project doesn't share CPEs among the products.
+---
+ debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++
+ debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++
+ debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++
+ fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++
+ ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++
+ ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++
+ opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++
+ rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++
+ rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++
+ rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++
+ sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++
+ sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++
+ sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++
+ ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++
+ ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++
+ ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++
+ wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++
+ wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++
+ 18 files changed, 90 insertions(+)
+
+diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
+index 5cc27ceb79..f2dbd09cfc 100644
+--- a/debian10/cpe/debian10-cpe-dictionary.xml
++++ b/debian10/cpe/debian10-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
+index 38d490138a..f385709052 100644
+--- a/debian8/cpe/debian8-cpe-dictionary.xml
++++ b/debian8/cpe/debian8-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
+index f01770b044..bc90a12bae 100644
+--- a/debian9/cpe/debian9-cpe-dictionary.xml
++++ b/debian9/cpe/debian9-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
+index 2964e320c2..ff7cebc322 100644
+--- a/fedora/cpe/fedora-cpe-dictionary.xml
++++ b/fedora/cpe/fedora-cpe-dictionary.xml
+@@ -62,6 +62,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
+index c153272121..613f853a6d 100644
+--- a/ol7/cpe/ol7-cpe-dictionary.xml
++++ b/ol7/cpe/ol7-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
+index 3fd74e53ca..912fe01346 100644
+--- a/ol8/cpe/ol8-cpe-dictionary.xml
++++ b/ol8/cpe/ol8-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
+index 1ab4e85ea8..7f485b800e 100644
+--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
+@@ -42,6 +42,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
+index a5214e36f0..f232b7ed29 100644
+--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
+@@ -57,6 +57,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
+index cccb3c5791..eab827291f 100644
+--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
+@@ -32,6 +32,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
+index ce9b06dcae..db1b4b239b 100644
+--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
+@@ -32,6 +32,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
+index c732ecb48a..1b6b3e2518 100644
+--- a/sle11/cpe/sle11-cpe-dictionary.xml
++++ b/sle11/cpe/sle11-cpe-dictionary.xml
+@@ -32,6 +32,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
+index 79daa31412..b1b66e1294 100644
+--- a/sle12/cpe/sle12-cpe-dictionary.xml
++++ b/sle12/cpe/sle12-cpe-dictionary.xml
+@@ -32,6 +32,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml
+index 91d3d78b19..0ee5a1b817 100644
+--- a/sle15/cpe/sle15-cpe-dictionary.xml
++++ b/sle15/cpe/sle15-cpe-dictionary.xml
+@@ -32,6 +32,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+index df5abff723..7f3ce4271b 100644
+--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+index 6269344376..83f0c8c516 100644
+--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+index ccb285768e..77b78d74ec 100644
+--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+@@ -27,6 +27,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+index 73e419c9ab..cc4e806a4d 100644
+--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+@@ -26,6 +26,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+index 8449ea1416..824c575a6a 100644
+--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+@@ -26,6 +26,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
new file mode 100644
index 0000000..084c528
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
@@ -0,0 +1,595 @@
+From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 25 May 2020 14:33:06 +0200
+Subject: [PATCH 1/5] Add zIPL bootloader group
+
+---
+ linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
+new file mode 100644
+index 0000000000..36da84530c
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/group.yml
+@@ -0,0 +1,11 @@
++documentation_complete: true
++
++title: 'zIPL bootloader configuration'
++
++description: |-
++ During the boot process, the bootloader is
++ responsible for starting the execution of the kernel and passing
++ options to it.
++ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
++
++platform: machine
+
+From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 25 May 2020 15:26:19 +0200
+Subject: [PATCH 2/5] Add zIPL rule for early audit capability
+
+---
+ .../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+new file mode 100644
+index 0000000000..ce2bd60c59
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -0,0 +1,40 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
++
++description: |-
++ To ensure all processes can be audited, even those which start prior to the audit daemon,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to enable audit,
++ add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ Each process on the system carries an "auditable" flag which indicates whether
++ its activities can be audited. Although <tt>auditd</tt> takes care of enabling
++ this for all processes which launch after it does, adding the kernel argument
++ ensures it is set for every process during boot.
++
++severity: medium
++
++ocil_clause: 'auditing is not enabled at boot time'
++
++ocil: |-
++ To check that audit is enabled at boot time, check all boot entries with following command:
++ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that doesn't enable audit.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 26 May 2020 15:06:12 +0200
+Subject: [PATCH 3/5] Add few more zIPL kernel option rules
+
+Add rules for following options:
+- audit_backlog_limit
+- selinux
+- audit_backlog_limit
+- enable_selinux
+- page_poison
+- pti
+- slub_debug
+- vsyscall
+---
+ .../rule.yml | 41 +++++++++++++++++++
+ .../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++
+ .../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++
+ .../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++
+ .../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++
+ .../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++
+ 6 files changed, 241 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+new file mode 100644
+index 0000000000..08c5b53207
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -0,0 +1,41 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
++
++description: |-
++ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to extend the audit log events queue,
++ add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ audit_backlog_limit sets the queue length for audit events awaiting transfer
++ to the audit daemon. Until the audit daemon is up and running, all log messages
++ are stored in this queue. If the queue is overrun during boot process, the action
++ defined by audit failure flag is taken.
++
++severity: medium
++
++ocil_clause: 'audit backlog limit is not configured'
++
++ocil: |-
++ To check that all boot entries extend the backlog limit;
++ Check that all boot entries extend the log events queue:
++ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+new file mode 100644
+index 0000000000..e7a455b90c
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -0,0 +1,37 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Ensure SELinux Not Disabled in zIPL'
++
++description: |-
++ To ensure SELinux is not disabled at boot time,
++ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++rationale: |-
++ Disabling a major host protection feature, such as SELinux, at boot time prevents
++ it from confining system services at boot time. Further, it increases
++ the chances that it will remain off during system operation.
++
++severity: medium
++
++ocil_clause: 'SELinux is disabled at boot time'
++
++ocil: |-
++ To check that selinux is not disabled at boot time;
++ Check that no boot entry disables selinux:
++ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that disables SELinux.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+new file mode 100644
+index 0000000000..b8a2eecee6
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -0,0 +1,41 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Enable page allocator poisoning in zIPL'
++
++description: |-
++ To enable poisoning of free pages,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to enable page poisoning,
++ add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ Poisoning writes an arbitrary value to freed pages, so any modification or
++ reference to that page after being freed or before being initialized will be
++ detected and prevented.
++ This prevents many types of use-after-free vulnerabilities at little performance cost.
++ Also prevents leak of data and detection of corrupted memory.
++
++severity: medium
++
++ocil_clause: 'page allocator poisoning is not enabled'
++
++ocil: |-
++ To check that page poisoning is enabled at boot time, check all boot entries with following command:
++ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+new file mode 100644
+index 0000000000..4757871a5f
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -0,0 +1,40 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
++
++description: |-
++ To enable Kernel page-table isolation,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to enable page-table isolation,
++ add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ Kernel page-table isolation is a kernel feature that mitigates
++ the Meltdown security vulnerability and hardens the kernel
++ against attempts to bypass kernel address space layout
++ randomization (KASLR).
++
++severity: medium
++
++ocil_clause: 'Kernel page-table isolation is not enabled'
++
++ocil: |-
++ To check that page-table isolation is enabled at boot time, check all boot entries with following command:
++ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+new file mode 100644
+index 0000000000..166dd41afd
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -0,0 +1,41 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
++
++description: |-
++ To enable poisoning of SLUB/SLAB objects,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to extend the audit log events queue,
++ add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ Poisoning writes an arbitrary value to freed objects, so any modification or
++ reference to that object after being freed or before being initialized will be
++ detected and prevented.
++ This prevents many types of use-after-free vulnerabilities at little performance cost.
++ Also prevents leak of data and detection of corrupted memory.
++
++severity: medium
++
++ocil_clause: 'SLUB/SLAB poisoning is not enabled'
++
++ocil: |-
++ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
++ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that does not enable poisoning.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+new file mode 100644
+index 0000000000..6b95d16fb8
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -0,0 +1,41 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Disable vsyscalls in zIPL'
++
++description: |-
++ To disable use of virtual syscalls,
++ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
++ included in its options.
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++
++ To ensure that new kernels and boot entries continue to disable virtual syscalls,
++ add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
++
++rationale: |-
++ Poisoning writes an arbitrary value to freed pages, so any modification or
++ reference to that page after being freed or before being initialized will be
++ detected and prevented.
++ This prevents many types of use-after-free vulnerabilities at little performance cost.
++ Also prevents leak of data and detection of corrupted memory.
++
++severity: medium
++
++ocil_clause: 'vsyscalls are enabled'
++
++ocil: |-
++ To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
++ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
++ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
++
++ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned zipl may load a different kernel than intended.
++
++ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Jun 2020 13:29:39 +0200
+Subject: [PATCH 4/5] Fix formatting of zIPL rules
+
+<pre> is renderend in a separate line, while <tt> is rendered inline.
+Add line breaks for better readability.
+---
+ .../bootloader-zipl/zipl_audit_argument/rule.yml | 10 +++++-----
+ .../zipl_audit_backlog_limit_argument/rule.yml | 10 +++++-----
+ .../bootloader-zipl/zipl_enable_selinux/rule.yml | 8 ++++----
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
+ .../system/bootloader-zipl/zipl_pti_argument/rule.yml | 10 +++++-----
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 10 +++++-----
+ .../bootloader-zipl/zipl_vsyscall_argument/rule.yml | 10 +++++-----
+ 7 files changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index ce2bd60c59..16c0b3f89a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+ description: |-
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to enable audit,
+- add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ Each process on the system carries an "auditable" flag which indicates whether
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 08c5b53207..47a532d50f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
+ description: |-
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+- add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index e7a455b90c..5aa91c16aa 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
+ description: |-
+ To ensure SELinux is not disabled at boot time,
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ rationale: |-
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index b8a2eecee6..8546325752 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
+ description: |-
+ To enable poisoning of free pages,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
+
+ To ensure that new kernels and boot entries continue to enable page poisoning,
+- add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 4757871a5f..eaef25ce40 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+ description: |-
+ To enable Kernel page-table isolation,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
+- add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ Kernel page-table isolation is a kernel feature that mitigates
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 166dd41afd..68e91a92d6 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
+ description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+- add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ Poisoning writes an arbitrary value to freed objects, so any modification or
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 6b95d16fb8..8d39337f9e 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
+ description: |-
+ To disable use of virtual syscalls,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+- included in its options.
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
++ included in its options.<br />
++ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
++ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
+- add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
++ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+
+From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Jun 2020 13:08:07 +0200
+Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
+
+copy-pasta error
+---
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 8d39337f9e..9624b43349 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -16,11 +16,8 @@ description: |-
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+- Poisoning writes an arbitrary value to freed pages, so any modification or
+- reference to that page after being freed or before being initialized will be
+- detected and prevented.
+- This prevents many types of use-after-free vulnerabilities at little performance cost.
+- Also prevents leak of data and detection of corrupted memory.
++ Virtual Syscalls provide an opportunity of attack for a user who has control
++ of the return instruction pointer.
+
+ severity: medium
+
diff --git a/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
new file mode 100644
index 0000000..58339fa
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
@@ -0,0 +1,29 @@
+From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 13 Jul 2020 17:52:35 +0200
+Subject: [PATCH] Fix SCAPVAL error SRC-15
+
+The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element
+in group `bootloader-grub2`, but this CPE isn't defined in the
+RHEL 6 CPE dictionary. All used CPEs should be defined in the
+dictionary.
+---
+ rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
+index bca8986f7a..1b696b88d3 100644
+--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
+@@ -47,6 +47,11 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:grub2">
++ <title xml:lang="en-us">Package grub2 is installed</title>
++ <!-- the check references an OVAL file that contains an inventory definition -->
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
++ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
new file mode 100644
index 0000000..1f77753
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
@@ -0,0 +1,250 @@
+From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 7 Jul 2020 16:37:30 +0200
+Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products
+
+The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF
+group `bootloader-zipl` but the definition of the CPE was missing from
+the CPE dictionary in some datastreams, for example fedora datastream.
+This triggered error SRC-15 in NIST scapval tool.
+---
+ debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++
+ debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++
+ debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++
+ fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++
+ ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++
+ ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++
+ opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++
+ rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++
+ rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++
+ rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++
+ sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++
+ sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++
+ ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++
+ ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++
+ ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++
+ wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++
+ wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++
+ 19 files changed, 76 insertions(+)
+
+diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
+index f2dbd09cfc..ddb68c34bd 100644
+--- a/debian10/cpe/debian10-cpe-dictionary.xml
++++ b/debian10/cpe/debian10-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
+index f385709052..24bbca69cd 100644
+--- a/debian8/cpe/debian8-cpe-dictionary.xml
++++ b/debian8/cpe/debian8-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
+index bc90a12bae..d5595fd594 100644
+--- a/debian9/cpe/debian9-cpe-dictionary.xml
++++ b/debian9/cpe/debian9-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
+index ff7cebc322..bef1337fc9 100644
+--- a/fedora/cpe/fedora-cpe-dictionary.xml
++++ b/fedora/cpe/fedora-cpe-dictionary.xml
+@@ -107,4 +107,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
+index 613f853a6d..5d4691aaf6 100644
+--- a/ol7/cpe/ol7-cpe-dictionary.xml
++++ b/ol7/cpe/ol7-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
+index 912fe01346..35167b1f70 100644
+--- a/ol8/cpe/ol8-cpe-dictionary.xml
++++ b/ol8/cpe/ol8-cpe-dictionary.xml
+@@ -67,4 +67,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
+index 7f485b800e..6b95e46d3f 100644
+--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
+@@ -87,4 +87,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
+index 2c8a82ebc5..bca8986f7a 100644
+--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
+@@ -87,4 +87,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
+index f232b7ed29..bc2aa869e8 100644
+--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
+@@ -102,4 +102,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
+index db1b4b239b..02450d6efc 100644
+--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
+index 1b6b3e2518..b7cb4e1fd5 100644
+--- a/sle11/cpe/sle11-cpe-dictionary.xml
++++ b/sle11/cpe/sle11-cpe-dictionary.xml
+@@ -77,4 +77,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
+index b1b66e1294..73cddd7740 100644
+--- a/sle12/cpe/sle12-cpe-dictionary.xml
++++ b/sle12/cpe/sle12-cpe-dictionary.xml
+@@ -77,4 +77,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+index 7f3ce4271b..3f5447741b 100644
+--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+index 83f0c8c516..e3e842842b 100644
+--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+index 77b78d74ec..897673c6f5 100644
+--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+@@ -72,4 +72,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+index cc4e806a4d..ef7e803505 100644
+--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+@@ -71,4 +71,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
+diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+index 824c575a6a..7184ebfd0b 100644
+--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+@@ -71,4 +71,8 @@
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
++ <cpe-item name="cpe:/a:zipl">
++ <title xml:lang="en-us">System uses zipl</title>
++ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
++ </cpe-item>
+ </cpe-list>
diff --git a/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
new file mode 100644
index 0000000..398abcc
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
@@ -0,0 +1,88 @@
+From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 22 Jul 2020 09:52:50 +0200
+Subject: [PATCH] Add grub2 platform to grub2 kernel option rules
+
+This will make sure these rules are applicable only when grub2
+(grub2-pc) is installed.
+---
+ linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 ++
+ .../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +-
+ .../system/permissions/mounting/grub2_nousb_argument/rule.yml | 2 ++
+ .../guide/system/permissions/restrictions/poisoning/group.yml | 2 ++
+ .../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
+ .../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
+ 7 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+index 00cb7f9b6c..5f3a47a776 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+@@ -102,6 +102,8 @@ warnings:
+ {{% endif %}}
+ </ul>
+
++platform: grub2
++
+ template:
+ name: grub2_bootloader_argument
+ vars:
+diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+index 6cab6f7bfe..aa95957b58 100644
+--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+ </ul>
+
+-platform: machine
++platform: grub2
+
+ template:
+ name: grub2_bootloader_argument
+diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+index a3c1f48231..407ba2c069 100644
+--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
++++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+@@ -37,3 +37,5 @@ warnings:
+ Disabling all kernel support for USB will cause problems for systems
+ with USB-based keyboards, mice, or printers. This configuration is
+ infeasible for systems which require USB devices, which is common.
++
++platform: grub2
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+index 6a7a370f2b..030a3e9918 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+@@ -6,3 +6,5 @@ description: |-
+ Memory Poisoning consists of writing a special value to uninitialized or freed memory.
+ Poisoning can be used as a mechanism to prevent leak of information and detection of
+ corrupted memory.
++
++platform: machine
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+index e3047ef223..2d97ec75ea 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+ </ul>
+
+-platform: machine
++platform: grub2
+
+ template:
+ name: grub2_bootloader_argument
+diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+index 024c93f18b..39ca33b77a 100644
+--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+@@ -60,7 +60,7 @@ warnings:
+ {{% endif %}}
+ </ul>
+
+-platform: machine
++platform: grub2
+
+ template:
+ name: grub2_bootloader_argument
diff --git a/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
new file mode 100644
index 0000000..3e89401
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
@@ -0,0 +1,954 @@
+From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 1 Jul 2020 16:12:35 +0200
+Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
+
+Create initial version of zIPL specific BLS entries
+template by copying bls_entries_option template.
+---
+ .../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
+ ssg/templates.py | 5 +++
+ 2 files changed, 37 insertions(+)
+ create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..a19bd5a89c
+--- /dev/null
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -0,0 +1,32 @@
++<def-group>
++ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
++ <metadata>
++ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
++ {{{- oval_affected(products) }}}
++ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
++ </metadata>
++ <criteria operator="AND">
++ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
++ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
++ </criteria>
++ </definition>
++
++ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
++ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
++ check="all" check_existence="all_exist" version="1">
++ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
++ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
++ version="1">
++ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
++ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
++ version="1">
++ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
++ </ind:textfilecontent54_state>
++</def-group>
+diff --git a/ssg/templates.py b/ssg/templates.py
+index 2795267abd..fc09416abe 100644
+--- a/ssg/templates.py
++++ b/ssg/templates.py
+@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
+ return data
+
+
++@template(["oval"])
++def bls_entries_option(data, lang):
++ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
++ if lang == "oval":
++ # escape dot, this is used in oval regex
++ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
++ # replace . with _, this is used in test / object / state ids
++ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
++ return data
++
++
++@template(["oval"])
++def zipl_bls_entries_option(data, lang):
++ return bls_entries_option(data, lang)
++
++
+ class Builder(object):
+ """
+ Class for building all templated content for a given product.
+
+From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 14:11:04 +0200
+Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
+
+Extend zipl_bls_entries_option template to check that the kernel option
+is also configure in /etc/kernel/cmdline.
+The presence of the argument in /etc/kernel/cmdline ensures that newly
+installed kernels will be configure if the option.
+---
+ .../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+index a19bd5a89c..9af1bcfbee 100644
+--- a/shared/templates/template_OVAL_zipl_bls_entries_option
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -6,8 +6,10 @@
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
+ </metadata>
+ <criteria operator="AND">
+- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
++ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
++ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
++ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
++ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
+ </criteria>
+ </definition>
+
+@@ -25,6 +27,19 @@
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
++ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
++ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
++ check="all" check_existence="all_exist" version="1">
++ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
++ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
++ version="1">
++ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
++ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+
+From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 14:12:32 +0200
+Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
+
+---
+ .../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
+ .../template_BASH_zipl_bls_entries_option | 12 +++++
+ ssg/templates.py | 2 +-
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
+ create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
+
+diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..c0cb131b82
+--- /dev/null
++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+@@ -0,0 +1,48 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = true
++# strategy = configure
++# complexity = medium
++# disruption = low
++
++- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
++ block:
++ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
++ find:
++ paths: "/boot/loader/entries/"
++ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
++ patterns: "*.conf"
++ register: entries_options
++
++ - name: "Update boot entries options"
++ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
++ when: entries_options is defined and entries_options.examined != entries_options.matched
++ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
++ # Then, the number of conf files is the same as examined files
++
++ - name: "Check if /etc/kernel/cmdline exists"
++ stat:
++ path: /etc/kernel/cmdline
++ register: cmdline_stat
++
++ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++ find:
++ paths: "/etc/kernel/"
++ patterns: "cmdline"
++ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
++ register: cmdline_find
++
++ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++ lineinfile:
++ create: yes
++ path: "/etc/kernel/cmdline"
++ line: '{{{ ARG_NAME_VALUE }}}'
++ when: cmdline_stat is defined and not cmdline_stat.stat.exists
++
++ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
++ lineinfile:
++ path: "/etc/kernel/cmdline"
++ backrefs: yes
++ regexp: "^(.*)$"
++ line: '\1 {{{ ARG_NAME_VALUE }}}'
++ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
++
+diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
+new file mode 100644
+index 0000000000..9fc8865486
+--- /dev/null
++++ b/shared/templates/template_BASH_zipl_bls_entries_option
+@@ -0,0 +1,12 @@
++# platform = Red Hat Enterprise Linux 8
++
++# Correct BLS option using grubby, which is a thin wrapper around BLS operations
++grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
++
++# Ensure new kernels and boot entries retain the boot option
++if [ ! -f /etc/kernel/cmdline ]; then
++ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
++elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
++ echo " audit=1" >> /etc/kernel/cmdline
++ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
++fi
+diff --git a/ssg/templates.py b/ssg/templates.py
+index fc09416abe..a27fbb6cb6 100644
+--- a/ssg/templates.py
++++ b/ssg/templates.py
+@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
+ return data
+
+
+-@template(["oval"])
++@template(["ansible", "bash", "oval"])
+ def zipl_bls_entries_option(data, lang):
+ return bls_entries_option(data, lang)
+
+
+From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 3 Jul 2020 15:50:56 +0200
+Subject: [PATCH 04/18] Enable zIPL in argument rules
+
+---
+ .../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
+ .../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
+ .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
+ 6 files changed, 36 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 624b4e7041..894bf7995f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: audit
++ arg_value: '1'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index faf114591a..12334c9905 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: audit_backlog_limit
++ arg_value: '8192'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 866664c01b..f5a36ee1b3 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: page_poison
++ arg_value: '1'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 2f02d9668c..168dae46a1 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -27,3 +27,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: pti
++ arg_value: 'on'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 0cb10d3cd8..84a374e36f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -28,3 +28,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: slub_debug
++ arg_value: 'P'
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index f79adeb083..c37e8bbefd 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -25,3 +25,9 @@ ocil: |-
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+ platform: machine
++
++template:
++ name: zipl_bls_entries_option
++ vars:
++ arg_name: vsyscall
++ arg_value: 'none'
+
+From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Sat, 4 Jul 2020 01:15:49 +0200
+Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
+
+Fix typo
+---
+ .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 12334c9905..15729dc6b6 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
+ ocil: |-
+ To check that all boot entries extend the backlog limit;
+ Check that all boot entries extend the log events queue:
+- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
++ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+ platform: machine
+
+From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 12:00:10 +0200
+Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
+
+Description about how to ensure that new boot entries continue compliant
+was incorrect due to copy-pasta mistake.
+---
+ .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 84a374e36f..83e043179d 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,7 +8,7 @@ description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+ included in its options.<br />
+- To ensure that new kernels and boot entries continue to extend the audit log events queue,
++ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+ rationale: |-
+
+From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 12:06:56 +0200
+Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
+
+---
+ .../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
+ .../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
+ .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
+ .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
+ 7 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 894bf7995f..b1307ef3f2 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83321-0
++
+ ocil_clause: 'auditing is not enabled at boot time'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 15729dc6b6..18391bee6c 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -19,6 +19,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83341-8
++
+ ocil_clause: 'audit backlog limit is not configured'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index f5a36ee1b3..7ffea8ce6a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83351-7
++
+ ocil_clause: 'page allocator poisoning is not enabled'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 168dae46a1..6fd1082292 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -19,6 +19,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83361-6
++
+ ocil_clause: 'Kernel page-table isolation is not enabled'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 83e043179d..c499140c35 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -20,6 +20,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83371-5
++
+ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index c37e8bbefd..7edd43074f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -17,6 +17,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83381-4
++
+ ocil_clause: 'vsyscalls are enabled'
+
+ ocil: |-
+
+From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 14:36:28 +0200
+Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
+
+These rules check and ensure configuration of BLS boot options used by
+zIPL.
+---
+ rhel8/profiles/ospp.profile | 8 ++++++++
+ rhel8/profiles/stig.profile | 6 ++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 80e4b71fff..d3732fa805 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -419,3 +419,11 @@ selections:
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
++ - zipl_audit_argument
++ - zipl_audit_backlog_limit_argument
++ - zipl_slub_debug_argument
++ - zipl_page_poison_argument
++ - zipl_vsyscall_argument
++ - zipl_vsyscall_argument.role=unscored
++ - zipl_vsyscall_argument.severity=info
++ - zipl_pti_argument
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index cfc2160be1..69d5222a32 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -49,3 +49,9 @@ selections:
+ # Unselect zIPL rules from OSPP
+ - "!zipl_bls_entries_only"
+ - "!zipl_bootmap_is_up_to_date"
++ - "!zipl_audit_argument"
++ - "!zipl_audit_backlog_limit_argument"
++ - "!zipl_page_poison_argument"
++ - "!zipl_pti_argument"
++ - "!zipl_slub_debug_argument"
++ - "!zipl_vsyscall_argument"
+
+From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 22:30:25 +0200
+Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
+
+Just like rule selection, allows rule refinements to be unselected, or "undone".
+---
+ build-scripts/compile_profiles.py | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
+index 0967252348..d1ce8984b2 100644
+--- a/build-scripts/compile_profiles.py
++++ b/build-scripts/compile_profiles.py
+@@ -3,6 +3,7 @@
+ import argparse
+ import sys
+ import os.path
++from copy import deepcopy
+ from glob import glob
+
+ import ssg.build_yaml
+@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
+ updated_variables.update(self.variables)
+ self.variables = updated_variables
+
+- updated_refinements = dict(extended_profile.refine_rules)
++ extended_refinements = deepcopy(extended_profile.refine_rules)
++ updated_refinements = self._subtract_refinements(extended_refinements)
+ updated_refinements.update(self.refine_rules)
+ self.refine_rules = updated_refinements
+
+@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
+
+ self.resolved = True
+
++ def _subtract_refinements(self, extended_refinements):
++ """
++ Given a dict of rule refinements from the extended profile,
++ "undo" every refinement prefixed with '!' in this profile.
++ """
++ for rule, refinements in list(self.refine_rules.items()):
++ if rule.startswith("!"):
++ for prop, val in refinements:
++ extended_refinements[rule[1:]].remove((prop, val))
++ del self.refine_rules[rule]
++ return extended_refinements
++
+
+ def create_parser():
+ parser = argparse.ArgumentParser()
+
+From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 9 Jul 2020 22:32:32 +0200
+Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
+
+Remove the zIPl rule refinementes from STIG profile
+---
+ rhel8/profiles/stig.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 69d5222a32..53647475aa 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -55,3 +55,5 @@ selections:
+ - "!zipl_pti_argument"
+ - "!zipl_slub_debug_argument"
+ - "!zipl_vsyscall_argument"
++ - "!zipl_vsyscall_argument.role=unscored"
++ - "!zipl_vsyscall_argument.severity=info"
+
+From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 09:38:57 +0200
+Subject: [PATCH 11/18] Update stable test for OSPP Profile
+
+I just copied the resolved profile to profile_stability directory.
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 08dcccf24c..5aa3592496 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -168,6 +168,7 @@ selections:
+ - service_rngd_enabled
+ - service_systemd-coredump_disabled
+ - service_usbguard_enabled
++- ssh_client_rekey_limit
+ - sshd_disable_empty_passwords
+ - sshd_disable_gssapi_auth
+ - sshd_disable_kerb_auth
+@@ -213,8 +214,14 @@ selections:
+ - sysctl_user_max_user_namespaces
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
++- zipl_audit_argument
++- zipl_audit_backlog_limit_argument
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
++- zipl_page_poison_argument
++- zipl_pti_argument
++- zipl_slub_debug_argument
++- zipl_vsyscall_argument
+ - var_sshd_set_keepalive=0
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+@@ -238,11 +245,12 @@ selections:
+ - var_accounts_passwords_pam_faillock_deny=3
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - var_accounts_passwords_pam_faillock_unlock_time=never
++- var_ssh_client_rekey_limit_size=1G
++- var_ssh_client_rekey_limit_time=1hour
+ - grub2_vsyscall_argument.role=unscored
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
+-- ssh_client_rekey_limit
+-- var_ssh_client_rekey_limit_size=1G
+-- var_ssh_client_rekey_limit_time=1hour
++- zipl_vsyscall_argument.role=unscored
++- zipl_vsyscall_argument.severity=info
+ title: Protection Profile for General Purpose Operating Systems
+
+From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 15:15:25 +0200
+Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
+
+---
+ .../tests/correct_option.pass.sh | 16 ++++++++++++++++
+ .../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
+ .../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
+ 3 files changed, 44 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+new file mode 100644
+index 0000000000..a9bd49dd0b
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -0,0 +1,16 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure boot loader entries contain audit=1
++for file in /boot/loader/entries/*.conf
++do
++ if ! grep -q '^options.*audit=1.*$' "$file" ; then
++ sed -i '/^options / s/$/audit=1/' "$file"
++ fi
++done
++
++# Make sure /etc/kernel/cmdline contains audit=1
++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++ echo "audit=1" >> /etc/kernel/cmdline
++fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+new file mode 100644
+index 0000000000..d4d1d978c8
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure boot loader entries contain audit=1
++for file in /boot/loader/entries/*.conf
++do
++ if ! grep -q '^options.*audit=1.*$' "$file" ; then
++ sed -i '/^options / s/$/audit=1/' "$file"
++ fi
++done
++
++# Make sure /etc/kernel/cmdline doesn't contain audit=1
++sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+new file mode 100644
+index 0000000000..3e412c0542
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Remove audit=1 from all boot entries
++sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
++# But make sure one boot loader entry contains audit=1
++sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
++sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
++
++# Make sure /etc/kernel/cmdline contains audit=1
++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++ echo "audit=1" >> /etc/kernel/cmdline
++fi
+
+From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 15:34:52 +0200
+Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
+
+The template shouldn't have any hardcoded values.
+---
+ shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
+index 9fc8865486..dde8c948f7 100644
+--- a/shared/templates/template_BASH_zipl_bls_entries_option
++++ b/shared/templates/template_BASH_zipl_bls_entries_option
+@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ if [ ! -f /etc/kernel/cmdline ]; then
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+ elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+- echo " audit=1" >> /etc/kernel/cmdline
+- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
++ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
+ fi
+
+From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 16:08:26 +0200
+Subject: [PATCH 14/18] Improve conditional check for the grubby command
+
+Let's not trust that /boot/loader/entries/ only contains *.conf files.
+Count the number of conf files and how many set the propper options.
+---
+ .../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+index c0cb131b82..bccad2267c 100644
+--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+@@ -6,18 +6,22 @@
+
+ - name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+ block:
+- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
++ - name: "Check how many boot entries exist "
++ find:
++ paths: "/boot/loader/entries/"
++ patterns: "*.conf"
++ register: n_entries
++
++ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+ patterns: "*.conf"
+- register: entries_options
++ register: n_entries_options
+
+ - name: "Update boot entries options"
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+- when: entries_options is defined and entries_options.examined != entries_options.matched
+- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
+- # Then, the number of conf files is the same as examined files
++ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+
+From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 16:17:27 +0200
+Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
+
+Append "audit=1" space from last option.
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
+ .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index a9bd49dd0b..5fcbcc5667 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -6,7 +6,7 @@
+ for file in /boot/loader/entries/*.conf
+ do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+- sed -i '/^options / s/$/audit=1/' "$file"
++ sed -i '/^options / s/$/ audit=1/' "$file"
+ fi
+ done
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+index d4d1d978c8..b75165f904 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -6,7 +6,7 @@
+ for file in /boot/loader/entries/*.conf
+ do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+- sed -i '/^options / s/$/audit=1/' "$file"
++ sed -i '/^options / s/$/ audit=1/' "$file"
+ fi
+ done
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index 3e412c0542..e3d342d533 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -5,7 +5,7 @@
+ # Remove audit=1 from all boot entries
+ sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+ # But make sure one boot loader entry contains audit=1
+-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
++sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
+ sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+ # Make sure /etc/kernel/cmdline contains audit=1
+
+From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 16:29:06 +0200
+Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
+
+These test scenarios can be run on any OS that supports BLS and provides
+grubby.
+But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
+has s390utils-base installed).
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
+ .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index 5fcbcc5667..73ed0eae0f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+ # Make sure boot loader entries contain audit=1
+ for file in /boot/loader/entries/*.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+index b75165f904..3af83d30d8 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+ # Make sure boot loader entries contain audit=1
+ for file in /boot/loader/entries/*.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index e3d342d533..142f75ba60 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -1,6 +1,5 @@
+ #!/bin/bash
+-# platform = Red Hat Enterprise Linux 8
+-# remediation = none
++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+ # Remove audit=1 from all boot entries
+ sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+
+From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
+From: Watson Yuuma Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 16:35:55 +0200
+Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
+
+Co-authored-by: vojtapolasek <krecoun@gmail.com>
+---
+ shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
+index 9af1bcfbee..502d5e7d9a 100644
+--- a/shared/templates/template_OVAL_zipl_bls_entries_option
++++ b/shared/templates/template_OVAL_zipl_bls_entries_option
+@@ -7,7 +7,7 @@
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
++ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
+ </criteria>
+
+From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 10 Jul 2020 17:15:46 +0200
+Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
+
+/etc/kernel/cmdline is not always present. Lest suppress any error
+message about absent file in the test scenarios.
+---
+ .../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
+ .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+index 73ed0eae0f..7a828837fe 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+@@ -10,6 +10,6 @@ do
+ done
+
+ # Make sure /etc/kernel/cmdline contains audit=1
+-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+ fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+index 142f75ba60..5650cc0a74 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
+ sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+ # Make sure /etc/kernel/cmdline contains audit=1
+-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+ fi
diff --git a/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
new file mode 100644
index 0000000..81d85cc
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
@@ -0,0 +1,884 @@
+From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 25 Jun 2020 18:29:31 +0200
+Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
+
+Instead of having each zIPL argument rule check for BLS compliance,
+let's split into its own rule.
+---
+ .../zipl_audit_argument/rule.yml | 6 -----
+ .../rule.yml | 6 -----
+ .../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
+ .../zipl_enable_selinux/rule.yml | 6 -----
+ .../zipl_page_poison_argument/rule.yml | 6 -----
+ .../zipl_pti_argument/rule.yml | 6 -----
+ .../zipl_slub_debug_argument/rule.yml | 6 -----
+ .../zipl_vsyscall_argument/rule.yml | 6 -----
+ 8 files changed, 24 insertions(+), 42 deletions(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 2d31ef8ee7..1211a53295 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to enable audit,
+@@ -30,10 +28,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 40db232257..7d88e38686 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+@@ -31,10 +29,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+new file mode 100644
+index 0000000000..b6ccbb5343
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -0,0 +1,24 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Ensure all zIPL boot entries are BLS compliant'
++
++description: |-
++ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
++ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
++
++rationale: |-
++ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
++ configuration.
++
++severity: medium
++
++ocil_clause: 'a non BLS boot entry is configured'
++
++ocil: |-
++ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
++ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
++ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index 8d28d5495f..1c3bfeb246 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To ensure SELinux is not disabled at boot time,
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ rationale: |-
+@@ -27,10 +25,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that disables SELinux.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 0a8e9a41e2..6dbfd501b7 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable poisoning of free pages,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
+
+ To ensure that new kernels and boot entries continue to enable page poisoning,
+@@ -31,10 +29,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 20c1448cc8..555fdf2b66 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable Kernel page-table isolation,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
+@@ -30,10 +28,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index 54ac688ea0..dd7865bf81 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+@@ -31,10 +29,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index c5979a2016..18b7ade460 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To disable use of virtual syscalls,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+ included in its options.<br />
+- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
+@@ -28,10 +26,6 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+- No line should be returned, if a line is returned zipl may load a different kernel than intended.
+-
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+
+From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 2 Jul 2020 09:52:39 +0200
+Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
+
+---
+ .../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
+ .../tests/image_configured.fail.sh | 6 +++++
+ .../tests/no_image.pass.sh | 7 +++++
+ 3 files changed, 40 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+new file mode 100644
+index 0000000000..41e9773814
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -0,0 +1,27 @@
++<def-group>
++ <definition class="compliance" id="zipl_bls_entries_only" version="1">
++ <metadata>
++ <title>Ensure zIPL entries are BLS compliant</title>
++ {{{- oval_affected(products) }}}
++ <description>Check if /etc/zipl.conf configures any boot entry</description>
++ </metadata>
++ <criteria operator="AND">
++ <criterion test_ref="test_zipl_bls_entries_only"
++ comment="Test presence of image configuration in /etc/zipl.conf" />
++ </criteria>
++ </definition>
++
++ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
++ comment="Test presence of image configuration in /etc/zipl.conf"
++ check="all" check_existence="none_exist" version="1">
++ <ind:object object_ref="object_zipl_bls_entries_only" />
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
++ version="1">
++ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
++ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+new file mode 100644
+index 0000000000..e3adb99638
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
+@@ -0,0 +1,6 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure no image configured in zipl config file
++echo 'image = /boot/image' >> /etc/zipl.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+new file mode 100644
+index 0000000000..47626442f6
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++# Make sure no image configured in zipl config file
++sed -Ei '/^image\s*=/d' /etc/zipl.conf
++true
+
+From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 2 Jul 2020 11:09:08 +0200
+Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
+
+Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
+is tricky and can lead to broken entries or removal of all of them.
+---
+ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+index b6ccbb5343..f792c5257f 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -22,3 +22,8 @@ ocil: |-
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+
+ platform: machine
++
++warnings:
++ - general: |-
++ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
++ automated remediation for this rule is not available.
+
+From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 25 Jun 2020 18:51:04 +0200
+Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
+
+Instead of having each zIPL argument rule check if zIPL bootmap is up to
+date, let's split it into its own rule.
+---
+ .../zipl_audit_argument/rule.yml | 6 -----
+ .../rule.yml | 7 -----
+ .../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
+ .../zipl_enable_selinux/rule.yml | 6 -----
+ .../zipl_page_poison_argument/rule.yml | 7 -----
+ .../zipl_pti_argument/rule.yml | 7 -----
+ .../zipl_slub_debug_argument/rule.yml | 7 -----
+ .../zipl_vsyscall_argument/rule.yml | 7 -----
+ 8 files changed, 27 insertions(+), 47 deletions(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index 1211a53295..624b4e7041 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -8,7 +8,6 @@ description: |-
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ To ensure that new kernels and boot entries continue to enable audit,
+ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
+@@ -28,9 +27,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+index 7d88e38686..faf114591a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+-
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+@@ -29,9 +27,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+new file mode 100644
+index 0000000000..082562d11e
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+@@ -0,0 +1,27 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Ensure zIPL bootmap is up to date'
++
++description: |-
++ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
++ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
++ be updated to reflect the changes.<br />
++ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
++
++rationale: |-
++ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
++ boot correct kernel and options.
++
++severity: medium
++
++ocil_clause: 'the bootmap is outdated'
++
++ocil: |-
++ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
++ and <tt>/etc/zipl.conf</tt>:
++ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
++ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
++
++platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+index 1c3bfeb246..b0bc0fc374 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+@@ -8,7 +8,6 @@ description: |-
+ To ensure SELinux is not disabled at boot time,
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+
+ rationale: |-
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
+@@ -25,9 +24,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that disables SELinux.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+index 6dbfd501b7..866664c01b 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable poisoning of free pages,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
+-
+ To ensure that new kernels and boot entries continue to enable page poisoning,
+ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+@@ -29,9 +27,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+index 555fdf2b66..2f02d9668c 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable Kernel page-table isolation,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+-
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
+ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+@@ -28,9 +26,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+index dd7865bf81..0cb10d3cd8 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+-
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+@@ -29,9 +27,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+index 18b7ade460..f79adeb083 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+@@ -8,8 +8,6 @@ description: |-
+ To disable use of virtual syscalls,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+ included in its options.<br />
+- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
+-
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+@@ -26,9 +24,4 @@ ocil: |-
+ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+- and <tt>/etc/zipl.conf</tt>:
+- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+-
+ platform: machine
+
+From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 2 Jul 2020 15:59:31 +0200
+Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
+
+---
+ .../oval/shared.xml | 46 +++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+new file mode 100644
+index 0000000000..6c446cbe59
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
+@@ -0,0 +1,46 @@
++<def-group>
++ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
++ <metadata>
++ <title>Ensure zIPL bootmap is up to date</title>
++ {{{- oval_affected(products) }}}
++ <description>Check if /boot/bootmap is up to date</description>
++ </metadata>
++ <criteria operator="AND">
++ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
++ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
++ <unix:object object_ref="object_zipl_boot_bootmap_file" />
++ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
++ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
++ </unix:file_test>
++
++ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
++ <unix:filepath>/boot/bootmap</unix:filepath>
++ </unix:file_object>
++
++ <!-- Newer means modified more recently, which means more seconds since epoch -->
++ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
++ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
++ var_ref="variable_zipl_conf_file_age" />
++ </unix:file_state>
++ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
++ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
++ </local_variable>
++ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
++ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
++ </unix:file_object>
++
++ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
++ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
++ var_ref="variable_boot_entry_files_age" />
++ </unix:file_state>
++ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
++ <object_component object_ref="boot_entry_files" item_field="m_time"/>
++ </local_variable>
++ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
++ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
++ </unix:file_object>
++</def-group>
+
+From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 2 Jul 2020 16:15:35 +0200
+Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
+
+These tests mock existence of zIPL files.
+---
+ .../tests/newer_boot_entry.fail.sh | 10 ++++++++++
+ .../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
+ .../tests/up_to_date.pass.sh | 9 +++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+new file mode 100644
+index 0000000000..728c6b7bdb
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /etc/zipl.conf
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/bootmap
++sleep 2
++touch /boot/loader/entries/zipl-entry-2.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+new file mode 100644
+index 0000000000..1ae4d631ee
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/loader/entries/zipl-entry-2.conf
++touch /boot/bootmap
++sleep 2
++touch /etc/zipl.conf
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+new file mode 100644
+index 0000000000..7981ba8c5c
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++# platform = Red Hat Enterprise Linux 8
++# remediation = none
++
++touch /etc/zipl.conf
++touch /boot/loader/entries/*.conf # Update current existing entries
++touch /boot/loader/entries/zipl-entry-1.conf
++touch /boot/loader/entries/zipl-entry-2.conf
++touch /boot/bootmap
+
+From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 3 Jul 2020 18:35:06 +0200
+Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
+
+---
+ .../ansible/shared.yml | 24 +++++++++++++++++++
+ .../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+new file mode 100644
+index 0000000000..e545eacc13
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
+@@ -0,0 +1,24 @@
++# platform = Red Hat Enterprise Linux 8
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++- name: "Ensure zIPL bootmap is up to date"
++ block:
++ - name: "Obtain stats of /boot/bootmap"
++ stat:
++ path: /boot/bootmap
++ register: boot_bootmap
++
++ - name: "Obtain stats of /etc/zipl.conf"
++ stat:
++ path: /etc/zipl.conf
++ register: zipl_conf
++
++ # TODO: handle /boot/loader/entries/*.conf
++
++ - name: "Update zIPL bootmap"
++ command: /usr/sbin/zipl
++ changed_when: True
++ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+new file mode 100644
+index 0000000000..2cf7e388f0
+--- /dev/null
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+@@ -0,0 +1,3 @@
++# platform = Red Hat Enterprise Linux 8
++
++/usr/bin/zipl
+
+From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 1 Jul 2020 17:16:41 +0200
+Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
+
+---
+ rhel8/profiles/ospp.profile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 07d32b814d..80e4b71fff 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -415,3 +415,7 @@ selections:
+ - ssh_client_rekey_limit
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
++
++ # zIPl specific rules
++ - zipl_bls_entries_only
++ - zipl_bootmap_is_up_to_date
+
+From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 14:03:21 +0200
+Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
+
+---
+ .../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+index 2cf7e388f0..2310ca060d 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+@@ -1,3 +1,3 @@
+ # platform = Red Hat Enterprise Linux 8
+
+-/usr/bin/zipl
++/usr/sbin/zipl
+
+From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 14:06:22 +0200
+Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
+
+There can be leading spaces before 'image'.
+---
+ .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+index 41e9773814..f68d91c128 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -20,7 +20,7 @@
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+ version="1">
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
++ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+
+From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 14:10:22 +0200
+Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
+
+There is no need to perform pattern match, the check just needs to
+examine /etc/zipl.conf file.
+---
+ .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+index f68d91c128..1ebf03ee37 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+@@ -19,7 +19,7 @@
+
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+ version="1">
+- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
++ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 14:13:26 +0200
+Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
+
+Add RHEL-8 CCE identifiers for:
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
+---
+ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
+ .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+index f792c5257f..67cc061ce3 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+@@ -14,6 +14,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83485-3
++
+ ocil_clause: 'a non BLS boot entry is configured'
+
+ ocil: |-
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+index 082562d11e..da9411d00b 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+@@ -16,6 +16,9 @@ rationale: |-
+
+ severity: medium
+
++identifiers:
++ cce@rhel8: 83486-1
++
+ ocil_clause: 'the bootmap is outdated'
+
+ ocil: |-
+
+From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 14:16:58 +0200
+Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
+
+Update the profile reference file.
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index b0d7672c36..08dcccf24c 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -213,6 +213,8 @@ selections:
+ - sysctl_user_max_user_namespaces
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
++- zipl_bls_entries_only
++- zipl_bootmap_is_up_to_date
+ - var_sshd_set_keepalive=0
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+
+From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 8 Jul 2020 15:28:09 +0200
+Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
+
+The zIPL rules are inherited from OSPP profile
+---
+ rhel8/profiles/stig.profile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 8f12852e26..cfc2160be1 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -45,3 +45,7 @@ selections:
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
+ - "!ssh_client_rekey_limit"
++
++ # Unselect zIPL rules from OSPP
++ - "!zipl_bls_entries_only"
++ - "!zipl_bootmap_is_up_to_date"
diff --git a/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
new file mode 100644
index 0000000..9154e40
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
@@ -0,0 +1,280 @@
+From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 27 Aug 2020 13:19:01 +0200
+Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
+
+Adds a when clause to Ansible snippets of rules with Package CPE platform.
+
+If the when clause is added, a fact_packages Task needs to added as
+well.
+---
+ ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index a9ef3014ac..597aed5889 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -6,8 +6,7 @@
+ import os.path
+ import re
+ import codecs
+-from collections import defaultdict, namedtuple
+-
++from collections import defaultdict, namedtuple, OrderedDict
+
+ import ssg.yaml
+ from . import build_yaml
+@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class):
+ else:
+ return []
+
++ def inject_package_facts_task(self, parsed_snippet):
++ """ Injects a package_facts task only if
++ the snippet has a task with a when clause with ansible_facts.packages,
++ and the snippet doesn't already have an package_facts task
++ """
++ has_package_facts_task = False
++ has_ansible_facts_packages_clause = False
++
++ for p_task in parsed_snippet:
++ # We are only interested in the OrderedDicts, which represent Ansible tasks
++ if not isinstance(p_task, dict):
++ continue
++
++ if "package_facts" in p_task:
++ has_package_facts_task = True
++
++ if "ansible_facts.packages" in p_task.get("when", ""):
++ has_ansible_facts_packages_clause = True
++
++ if has_ansible_facts_packages_clause and not has_package_facts_task:
++ facts_task = OrderedDict({'name': 'Gather the package facts',
++ 'package_facts': {'manager': 'auto'}})
++ parsed_snippet.insert(0, facts_task)
++
+ def update_when_from_rule(self, to_update):
+ additional_when = ""
+- if self.associated_rule.platform == "machine":
+- additional_when = ('ansible_virtualization_role != "guest" '
+- 'or ansible_virtualization_type != "docker"')
++ rule_platform = self.associated_rule.platform
++ if rule_platform == "machine":
++ additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
++ elif rule_platform is not None:
++ # Assume any other platform is a Package CPE
++
++ # It doesn't make sense to add a conditional on the task that
++ # gathers data for the conditional
++ if "package_facts" in to_update:
++ return
++
++ additional_when = '"' + rule_platform + '" in ansible_facts.packages'
++ # After adding the conditional, we need to make sure package_facts are collected.
++ # This is done via inject_package_facts_task()
+ to_update.setdefault("when", "")
+ new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
+ if not new_when:
+@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
+ to_update["when"] = new_when
+
+ def update(self, parsed, config):
++ # We split the remediation update in three steps
++
++ # 1. Update the when clause
+ for p in parsed:
+ if not isinstance(p, dict):
+ continue
+ self.update_when_from_rule(p)
++
++ # 2. Inject any extra task necessary
++ self.inject_package_facts_task(parsed)
++
++ # 3. Add tags to all tasks, including the ones we have injected
++ for p in parsed:
++ if not isinstance(p, dict):
++ continue
+ self.update_tags_from_config(p, config)
+ self.update_tags_from_rule(p)
+
+
+From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 27 Aug 2020 17:09:06 +0200
+Subject: [PATCH 2/5] Add inherited_platform to Rule
+
+This field is exported to the rule when it is resolved.
+---
+ ssg/build_yaml.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
+index 4ba114eee4..fe290ffc05 100644
+--- a/ssg/build_yaml.py
++++ b/ssg/build_yaml.py
+@@ -832,6 +832,7 @@ class Rule(object):
+ "conflicts": lambda: list(),
+ "requires": lambda: list(),
+ "platform": lambda: None,
++ "inherited_platforms": lambda: list(),
+ "template": lambda: None,
+ }
+
+@@ -851,6 +852,7 @@ def __init__(self, id_):
+ self.requires = []
+ self.conflicts = []
+ self.platform = None
++ self.inherited_platforms = [] # platforms inherited from the group
+ self.template = None
+
+ @classmethod
+@@ -1293,6 +1295,9 @@ def _process_rules(self):
+ continue
+ self.all_rules.add(rule)
+ self.loaded_group.add_rule(rule)
++
++ rule.inherited_platforms.append(self.loaded_group.platform)
++
+ if self.resolved_rules_dir:
+ output_for_rule = os.path.join(
+ self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
+
+From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 27 Aug 2020 17:21:35 +0200
+Subject: [PATCH 3/5] Add when clauses for inherited platforms too
+
+Consider the Rule's Group platform while including 'when' clauses to
+Ansible snippets.
+
+Some rules have two platforms, a machine platform and a package
+platform. One of them is represented of the Rule, and the other is
+represented in the Rule's Group.
+
+The platforms are organized like this to due limiation in XCCDF,
+multiple platforms in a Rule are ORed, not ANDed.
+---
+ ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 17 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 597aed5889..a2a996d0af 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
+ if "package_facts" in p_task:
+ has_package_facts_task = True
+
+- if "ansible_facts.packages" in p_task.get("when", ""):
+- has_ansible_facts_packages_clause = True
++ # When clause of the task can be string or a list, lets normalize to list
++ task_when = p_task.get("when", "")
++ if type(task_when) is str:
++ task_when = [ task_when ]
++ for when in task_when:
++ if "ansible_facts.packages" in when:
++ has_ansible_facts_packages_clause = True
+
+ if has_ansible_facts_packages_clause and not has_package_facts_task:
+ facts_task = OrderedDict({'name': 'Gather the package facts',
+@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
+ parsed_snippet.insert(0, facts_task)
+
+ def update_when_from_rule(self, to_update):
+- additional_when = ""
+- rule_platform = self.associated_rule.platform
+- if rule_platform == "machine":
+- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
+- elif rule_platform is not None:
+- # Assume any other platform is a Package CPE
+-
+- # It doesn't make sense to add a conditional on the task that
+- # gathers data for the conditional
+- if "package_facts" in to_update:
+- return
+-
+- additional_when = '"' + rule_platform + '" in ansible_facts.packages'
+- # After adding the conditional, we need to make sure package_facts are collected.
+- # This is done via inject_package_facts_task()
++ additional_when = []
++
++ rule_platforms = set([self.associated_rule.platform] +
++ self.associated_rule.inherited_platforms)
++
++ for platform in rule_platforms:
++ if platform == "machine":
++ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
++ elif platform is not None:
++ # Assume any other platform is a Package CPE
++
++ # It doesn't make sense to add a conditional on the task that
++ # gathers data for the conditional
++ if "package_facts" in to_update:
++ continue
++
++ additional_when.append('"' + platform + '" in ansible_facts.packages')
++ # After adding the conditional, we need to make sure package_facts are collected.
++ # This is done via inject_package_facts_task()
++
+ to_update.setdefault("when", "")
+ new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
+ if not new_when:
+
+From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 31 Aug 2020 16:06:14 +0200
+Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
+
+Add a quick comment too.
+---
+ ssg/build_remediations.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index a2a996d0af..9e622ef740 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
+ def update_when_from_rule(self, to_update):
+ additional_when = []
+
+- rule_platforms = set([self.associated_rule.platform] +
+- self.associated_rule.inherited_platforms)
++ # There can be repeated inherited platforms and rule platforms
++ rule_platforms = set(self.associated_rule.inherited_platforms)
++ rule_platforms.add(self.associated_rule.platform)
+
+ for platform in rule_platforms:
+ if platform == "machine":
+
+From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 31 Aug 2020 16:10:53 +0200
+Subject: [PATCH 5/5] Code style and grammar changes
+
+---
+ ssg/build_remediations.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 9e622ef740..866450dd8c 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
+ def inject_package_facts_task(self, parsed_snippet):
+ """ Injects a package_facts task only if
+ the snippet has a task with a when clause with ansible_facts.packages,
+- and the snippet doesn't already have an package_facts task
++ and the snippet doesn't already have a package_facts task
+ """
+ has_package_facts_task = False
+ has_ansible_facts_packages_clause = False
+@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
+ # When clause of the task can be string or a list, lets normalize to list
+ task_when = p_task.get("when", "")
+ if type(task_when) is str:
+- task_when = [ task_when ]
++ task_when = [task_when]
+ for when in task_when:
+ if "ansible_facts.packages" in when:
+ has_ansible_facts_packages_clause = True
diff --git a/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
new file mode 100644
index 0000000..f1510d8
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
@@ -0,0 +1,241 @@
+From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Sep 2020 14:36:07 +0200
+Subject: [PATCH 1/5] Align Bash applicability with CPE platform
+
+Wraps the remediation of rules with Packager CPE Platform
+with an if condition that checks for the respective
+platforms's package.
+---
+ ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index ccbdf9fc1f..2d4a805e78 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -27,6 +27,13 @@
+ 'kubernetes': '.yml'
+ }
+
++PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
++ 'apt_get': 'dpkg-query -s {} &>/dev/null',
++ 'dnf': 'rpm --quiet -q {}',
++ 'yum': 'rpm --quiet -q {}',
++ 'zypper': 'rpm --quiet -q {}',
++}
++
+ FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
+
+ REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
+@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
+ def __init__(self, file_path):
+ super(BashRemediation, self).__init__(file_path, "bash")
+
++ def parse_from_file_with_jinja(self, env_yaml):
++ self.local_env_yaml.update(env_yaml)
++ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
++
++ # There can be repeated inherited platforms and rule platforms
++ rule_platforms = set(self.associated_rule.inherited_platforms)
++ rule_platforms.add(self.associated_rule.platform)
++
++ platform_conditionals = []
++ for platform in rule_platforms:
++ if platform == "machine":
++ # Based on check installed_env_is_a_container
++ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
++ elif platform is not None:
++ # Assume any other platform is a Package CPE
++
++ # Some package names are different from the platform names
++ if platform in self.local_env_yaml["platform_package_overrides"]:
++ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
++
++ # Adjust package check command according to the pkg_manager
++ pkg_manager = self.local_env_yaml["pkg_manager"]
++ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
++ platform_conditionals.append(pkg_check_command.format(platform))
++
++ if platform_conditionals:
++ platform_fix_text = "# Remediation is applicable only in certain platforms\n"
++
++ cond = platform_conditionals.pop(0)
++ platform_fix_text += "if {}".format(cond)
++ for cond in platform_conditionals:
++ platform_fix_text += " && {}".format(cond)
++ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
++
++ remediation = namedtuple('remediation', ['contents', 'config'])
++ result = remediation(contents=platform_fix_text, config=result.config)
++
++ return result
+
+ class AnsibleRemediation(Remediation):
+ def __init__(self, file_path):
+
+From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Sep 2020 14:41:01 +0200
+Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
+
+Adjust expansion of subs and variables not to remove the whole beginning
+of the fix test. This was removing the package conditional wrapping.
+---
+ ssg/build_remediations.py | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 2d4a805e78..49ec557000 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
+ patcomp = re.compile(pattern, re.DOTALL)
+ fixparts = re.split(patcomp, fix.text)
+ if fixparts[0] is not None:
+- # Split the portion of fix.text from fix start to first call of
+- # remediation function, keeping only the third part:
+- # * tail to hold part of the fix.text after inclusion,
+- # but before first call of remediation function
++ # Split the portion of fix.text at the string remediation_functions,
++ # and remove preceeding comment whenever it is there.
++ # * head holds part of the fix.text before
++ # remediation_functions string
++ # * tail holds part of the fix.text after the
++ # remediation_functions string
+ try:
+- rfpattern = '(.*remediation_functions)(.*)'
+- rfpatcomp = re.compile(rfpattern, re.DOTALL)
+- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
++ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
++ rfpatcomp = re.compile(rfpattern)
++ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
+ except ValueError:
+ sys.stderr.write("Processing fix.text for: %s rule\n"
+ % fix.get('rule'))
+@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
+ "after inclusion of remediation functions."
+ " Aborting..\n")
+ sys.exit(1)
+- # If the 'tail' is not empty, make it new fix.text.
++ # If the 'head' is not empty, make it new fix.text.
+ # Otherwise use ''
+- fix.text = tail if tail is not None else ''
++ fix.text = head if head is not None else ''
++ fix.text += tail if tail is not None else ''
+ # Drop the first element of 'fixparts' since it has been processed
+ fixparts.pop(0)
+ # Perform sanity check on new 'fixparts' list content (to continue
+
+From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Sep 2020 20:56:17 +0200
+Subject: [PATCH 3/5] Check if remediation has associated rule before use
+
+---
+ ssg/build_remediations.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 49ec557000..85f7139d8f 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
+ self.local_env_yaml.update(env_yaml)
+ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+
+- # There can be repeated inherited platforms and rule platforms
+- rule_platforms = set(self.associated_rule.inherited_platforms)
+- rule_platforms.add(self.associated_rule.platform)
++ rule_platforms = set()
++ if self.associated_rule:
++ # There can be repeated inherited platforms and rule platforms
++ rule_platforms.update(self.associated_rule.inherited_platforms)
++ rule_platforms.add(self.associated_rule.platform)
+
+ platform_conditionals = []
+ for platform in rule_platforms:
+
+From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Sep 2020 10:59:43 +0200
+Subject: [PATCH 4/5] Fix python2 compat and improve code readability
+
+---
+ ssg/build_remediations.py | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 85f7139d8f..673d6d0cc6 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -28,10 +28,10 @@
+ }
+
+ PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
+- 'apt_get': 'dpkg-query -s {} &>/dev/null',
+- 'dnf': 'rpm --quiet -q {}',
+- 'yum': 'rpm --quiet -q {}',
+- 'zypper': 'rpm --quiet -q {}',
++ 'apt_get': 'dpkg-query -s {0} &>/dev/null',
++ 'dnf': 'rpm --quiet -q {0}',
++ 'yum': 'rpm --quiet -q {0}',
++ 'zypper': 'rpm --quiet -q {0}',
+ }
+
+ FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
+@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
+ platform_conditionals.append(pkg_check_command.format(platform))
+
+ if platform_conditionals:
+- platform_fix_text = "# Remediation is applicable only in certain platforms\n"
++ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
+
+- cond = platform_conditionals.pop(0)
+- platform_fix_text += "if {}".format(cond)
+- for cond in platform_conditionals:
+- platform_fix_text += " && {}".format(cond)
+- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
++ all_conditions = " && ".join(platform_conditionals)
++ wrapped_fix_text.append("if {0}; then".format(all_conditions))
++
++ # Avoid adding extra blank line
++ if not result.contents.startswith("\n"):
++ wrapped_fix_text.append("")
++
++ wrapped_fix_text.append("{0}".format(result.contents))
++ wrapped_fix_text.append("")
++ wrapped_fix_text.append("else")
++ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
++ wrapped_fix_text.append("fi")
+
+ remediation = namedtuple('remediation', ['contents', 'config'])
+- result = remediation(contents=platform_fix_text, config=result.config)
++ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
+
+ return result
+
+
+From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 10 Sep 2020 17:25:27 +0200
+Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
+
+---
+ ssg/build_remediations.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 673d6d0cc6..f269d4d2d6 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
+ if not result.contents.startswith("\n"):
+ wrapped_fix_text.append("")
+
++ # It is possible to indent the original body of the remediation with textwrap.indent(),
++ # however, it is not supported by python2, and there is a risk of breaking remediations
++ # For example, remediations with a here-doc block could be affected.
+ wrapped_fix_text.append("{0}".format(result.contents))
+ wrapped_fix_text.append("")
+ wrapped_fix_text.append("else")
diff --git a/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
new file mode 100644
index 0000000..d8fc95c
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
@@ -0,0 +1,203 @@
+From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 4 Sep 2020 09:50:54 +0200
+Subject: [PATCH 1/3] Introduce platform_package_overrides
+
+Introduce a mapping of CPE package platform name to a package name.
+
+Each linux distro or version may have its specific name for a package,
+this mapping allows a product to override the package name of a
+platorm.
+
+By default, it assumes that the package name will be the same as the
+platform name.
+---
+ rhel8/product.yml | 7 +++++++
+ ssg/build_remediations.py | 3 +++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index 6cdc51919e..6b5b4e2748 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
+
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ grub2: "grub2-pc"
++ login_defs: "shadow-utils"
++ sssd: "sssd-common"
++ zipl: "s390x-utils"
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 866450dd8c..ccbdf9fc1f 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
+ if "package_facts" in to_update:
+ continue
+
++ if platform in self.local_env_yaml["platform_package_overrides"]:
++ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
++
+ additional_when.append('"' + platform + '" in ansible_facts.packages')
+ # After adding the conditional, we need to make sure package_facts are collected.
+ # This is done via inject_package_facts_task()
+
+From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 4 Sep 2020 14:42:57 +0200
+Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
+
+---
+ rhel8/product.yml | 6 ------
+ ssg/constants.py | 8 ++++++++
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index 6b5b4e2748..d839b23231 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+-# Mapping of CPE platform to package
+-platform_package_overrides:
+- grub2: "grub2-pc"
+- login_defs: "shadow-utils"
+- sssd: "sssd-common"
+- zipl: "s390x-utils"
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 3f9d7d37ce..7e9678241c 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -501,6 +501,14 @@
+ "zipl": "cpe:/a:zipl",
+ }
+
++# Default platform to package mapping
++XCCDF_PLATFORM_TO_PACKAGE = {
++ "grub2": "grub2-pc",
++ "login_defs": "login",
++ "sssd": "sssd-common",
++ "zipl": "s390x-utils",
++}
++
+ # _version_name_map = {
+ MAKEFILE_ID_TO_PRODUCT_MAP = {
+ 'chromium': 'Google Chromium Browser',
+
+From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 4 Sep 2020 14:47:29 +0200
+Subject: [PATCH 3/3] Allow override of default platform package mapping
+
+With default platform to package mappings defined, we need to allow a
+product to override it if needed.
+---
+ rhel6/product.yml | 4 ++++
+ rhel7/product.yml | 4 ++++
+ rhel8/product.yml | 3 +++
+ rhosp10/product.yml | 3 +++
+ rhosp13/product.yml | 4 ++++
+ rhv4/product.yml | 4 ++++
+ ssg/yaml.py | 6 +++++-
+ 8 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/rhel6/product.yml b/rhel6/product.yml
+index cc8fa4f8ed..eab9b80c47 100644
+--- a/rhel6/product.yml
++++ b/rhel6/product.yml
+@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
+
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/rhel7/product.yml b/rhel7/product.yml
+index f03c928b8f..3ff996b8cc 100644
+--- a/rhel7/product.yml
++++ b/rhel7/product.yml
+@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
+
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/rhel8/product.yml b/rhel8/product.yml
+index d839b23231..f3aa59faec 100644
+--- a/rhel8/product.yml
++++ b/rhel8/product.yml
+@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/rhosp10/product.yml b/rhosp10/product.yml
+index 51d0a932a5..af42ca998d 100644
+--- a/rhosp10/product.yml
++++ b/rhosp10/product.yml
+@@ -10,3 +10,6 @@ pkg_manager: "yum"
+
+ init_system: "systemd"
+
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/rhosp13/product.yml b/rhosp13/product.yml
+index 5e849ff609..ba42a31cd7 100644
+--- a/rhosp13/product.yml
++++ b/rhosp13/product.yml
+@@ -9,3 +9,7 @@ profiles_root: "./profiles"
+ pkg_manager: "yum"
+
+ init_system: "systemd"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/rhv4/product.yml b/rhv4/product.yml
+index 10a2eda079..a61bf1588d 100644
+--- a/rhv4/product.yml
++++ b/rhv4/product.yml
+@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
+
+ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+ auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
++
++# Mapping of CPE platform to package
++platform_package_overrides:
++ login_defs: "shadow-utils"
+diff --git a/ssg/yaml.py b/ssg/yaml.py
+index cefbba374c..22cf5bad66 100644
+--- a/ssg/yaml.py
++++ b/ssg/yaml.py
+@@ -10,7 +10,8 @@
+
+ from .jinja import load_macros, process_file
+ from .constants import (PKG_MANAGER_TO_SYSTEM,
+- PKG_MANAGER_TO_CONFIG_FILE)
++ PKG_MANAGER_TO_CONFIG_FILE,
++ XCCDF_PLATFORM_TO_PACKAGE)
+ from .constants import DEFAULT_UID_MIN
+
+ try:
+@@ -138,6 +139,9 @@ def open_raw(yaml_file):
+
+ def open_environment(build_config_yaml, product_yaml):
+ contents = open_raw(build_config_yaml)
++ # Load common platform package mappings,
++ # any specific mapping in product_yaml will override the default
++ contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
+ contents.update(open_raw(product_yaml))
+ contents.update(_get_implied_properties(contents))
+ return contents
diff --git a/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
new file mode 100644
index 0000000..2023459
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
@@ -0,0 +1,92 @@
+From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 21 Sep 2020 10:26:53 +0200
+Subject: [PATCH] Remove zIPL rule for PTI bootloader option
+
+This setting is to mitigate a problem specific for intel archs.
+Also returns the CCE to the pool.
+---
+ .../zipl_pti_argument/rule.yml | 38 -------------------
+ rhel8/profiles/ospp.profile | 1 -
+ rhel8/profiles/stig.profile | 1 -
+ .../data/profile_stability/rhel8/ospp.profile | 1 -
+ 4 files changed, 41 deletions(-)
+ delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+deleted file mode 100644
+index 96170e6d85..0000000000
+--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
++++ /dev/null
+@@ -1,38 +0,0 @@
+-documentation_complete: true
+-
+-prodtype: rhel8
+-
+-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+-
+-description: |-
+- To enable Kernel page-table isolation,
+- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+- included in its options.<br />
+- To ensure that new kernels and boot entries continue to enable page-table isolation,
+- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
+-
+-rationale: |-
+- Kernel page-table isolation is a kernel feature that mitigates
+- the Meltdown security vulnerability and hardens the kernel
+- against attempts to bypass kernel address space layout
+- randomization (KASLR).
+-
+-severity: medium
+-
+-identifiers:
+- cce@rhel8: 83361-6
+-
+-ocil_clause: 'Kernel page-table isolation is not enabled'
+-
+-ocil: |-
+- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
+- <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+-
+-platform: machine
+-
+-template:
+- name: zipl_bls_entries_option
+- vars:
+- arg_name: pti
+- arg_value: 'on'
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 5e81e4a92a..46f00c89f1 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -426,4 +426,3 @@ selections:
+ - zipl_vsyscall_argument
+ - zipl_vsyscall_argument.role=unscored
+ - zipl_vsyscall_argument.severity=info
+- - zipl_pti_argument
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 53647475aa..817d5dbadd 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -52,7 +52,6 @@ selections:
+ - "!zipl_audit_argument"
+ - "!zipl_audit_backlog_limit_argument"
+ - "!zipl_page_poison_argument"
+- - "!zipl_pti_argument"
+ - "!zipl_slub_debug_argument"
+ - "!zipl_vsyscall_argument"
+ - "!zipl_vsyscall_argument.role=unscored"
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 7b7307cba8..223b1423cd 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -219,7 +219,6 @@ selections:
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
+ - zipl_page_poison_argument
+-- zipl_pti_argument
+ - zipl_slub_debug_argument
+ - zipl_vsyscall_argument
+ - var_sshd_set_keepalive=0
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
new file mode 100644
index 0000000..0199bf4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
@@ -0,0 +1,49 @@
+From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 9 Oct 2020 09:30:35 +0200
+Subject: [PATCH] Do not platform wrap empty Bash remediation
+
+The fix text for a rule can end up empty if a Jinja macro or conditional
+doesn't render any text.
+In these cases, avoid wrapping empty lines in an if-else, as this causes
+syntax error.
+---
+ ssg/build_remediations.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index f269d4d2d6..572db61701 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
+ self.local_env_yaml.update(env_yaml)
+ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+
++ # Avoid platform wrapping empty fix text
++ # Remediations can be empty when a Jinja macro or conditional
++ # renders no fix text for a product
++ stripped_fix_text = result.contents.strip()
++ if stripped_fix_text == "":
++ return result
++
+ rule_platforms = set()
+ if self.associated_rule:
+ # There can be repeated inherited platforms and rule platforms
+@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
+
+ all_conditions = " && ".join(platform_conditionals)
+ wrapped_fix_text.append("if {0}; then".format(all_conditions))
+-
+- # Avoid adding extra blank line
+- if not result.contents.startswith("\n"):
+- wrapped_fix_text.append("")
+-
++ wrapped_fix_text.append("")
+ # It is possible to indent the original body of the remediation with textwrap.indent(),
+ # however, it is not supported by python2, and there is a risk of breaking remediations
+ # For example, remediations with a here-doc block could be affected.
+- wrapped_fix_text.append("{0}".format(result.contents))
++ wrapped_fix_text.append("{0}".format(stripped_fix_text))
+ wrapped_fix_text.append("")
+ wrapped_fix_text.append("else")
+ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
new file mode 100644
index 0000000..83df4d6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
@@ -0,0 +1,116 @@
+From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 5 Oct 2020 16:40:39 +0200
+Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc
+
+Check for grub2 intallation based on grub2-common.
+grub2-pc is a x86_64 package, but other arches use grub2 as well.
+---
+ .../checks/oval/installed_env_has_grub2_package.xml | 12 ++++++------
+ ssg/constants.py | 2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
+index e83f45bc3b..2a170d668e 100644
+--- a/shared/checks/oval/installed_env_has_grub2_package.xml
++++ b/shared/checks/oval/installed_env_has_grub2_package.xml
+@@ -6,31 +6,31 @@
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+- <description>Checks if package grub2-pc is installed.</description>
++ <description>Checks if package grub2-common is installed.</description>
+ <reference ref_id="cpe:/a:grub2" source="CPE" />
+ </metadata>
+ <criteria>
+- <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
++ <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
+ </criteria>
+ </definition>
+
+ {{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_grub2_installed" version="1"
+- comment="system has package grub2-pc installed">
++ comment="system has package grub2-common installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
+- <linux:name>grub2-pc</linux:name>
++ <linux:name>grub2-common</linux:name>
+ </linux:rpminfo_object>
+ {{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_grub2_installed" version="1"
+- comment="system has package grub2-pc installed">
++ comment="system has package grub2-common installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
+- <linux:name>grub2-pc</linux:name>
++ <linux:name>grub2-common</linux:name>
+ </linux:dpkginfo_object>
+ {{% endif %}}
+
+diff --git a/ssg/constants.py b/ssg/constants.py
+index b07fe5f0fe..88316374b5 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -468,7 +468,7 @@
+
+ # Default platform to package mapping
+ XCCDF_PLATFORM_TO_PACKAGE = {
+- "grub2": "grub2-pc",
++ "grub2": "grub2-common",
+ "login_defs": "login",
+ "sssd": "sssd-common",
+ "zipl": "s390utils-base",
+
+From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 5 Oct 2020 16:49:15 +0200
+Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le
+
+ppc64le systems can use Grub2 or OPAL and the package set will be the
+same in both cases.
+Add a few more checks to make sure ppc64le arch is handled correctly.
+---
+ .../oval/installed_env_has_grub2_package.xml | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
+index 2a170d668e..fb2c9cc784 100644
+--- a/shared/checks/oval/installed_env_has_grub2_package.xml
++++ b/shared/checks/oval/installed_env_has_grub2_package.xml
+@@ -9,8 +9,18 @@
+ <description>Checks if package grub2-common is installed.</description>
+ <reference ref_id="cpe:/a:grub2" source="CPE" />
+ </metadata>
+- <criteria>
++ <criteria operator="AND">
+ <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
++ <criteria operator="OR">
++ <!-- On ppc64le systems, OF (Grub2) or OPAL (petitboot) can be used,
++ and unfortunately the package set installed is the same in both cases.
++ But when OPAL is used, /sys/firmware/opal exists.
++ So the system uses grub when: -->
++ <!-- grub2-common is installed and arch is not a ppc64le -->
++ <criterion comment="Test for ppcle64 architecture" test_ref="test_system_info_architecture_ppcle_64" negate="true" />
++ <!-- or when grub2-common is installed, arch is a ppc64le but OPAL is not used -->
++ <criterion comment="Test if OPAL is not used" test_ref="test_system_using_opal" negate="true" />
++ </criteria>
+ </criteria>
+ </definition>
+
+@@ -34,4 +44,11 @@
+ </linux:dpkginfo_object>
+ {{% endif %}}
+
++ <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firware/opal exists" id="test_system_using_opal" version="1">
++ <unix:object object_ref="object_system_using_opal" />
++ </unix:file_test>
++ <unix:file_object id="object_system_using_opal" version="1">
++ <unix:filepath>/sys/firmware/opal</unix:filepath>
++ </unix:file_object>
++
+ </def-group>
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
new file mode 100644
index 0000000..8c84ee4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
@@ -0,0 +1,38 @@
+From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 8 Sep 2020 11:29:57 +0200
+Subject: [PATCH] Fix load of product platform mapping
+
+The product specific mappings were overriding the common mappings,
+instead of being merged with them.
+---
+ ssg/yaml.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ssg/yaml.py b/ssg/yaml.py
+index 22cf5bad66..d8856e52c9 100644
+--- a/ssg/yaml.py
++++ b/ssg/yaml.py
+@@ -13,6 +13,7 @@
+ PKG_MANAGER_TO_CONFIG_FILE,
+ XCCDF_PLATFORM_TO_PACKAGE)
+ from .constants import DEFAULT_UID_MIN
++from .utils import merge_dicts
+
+ try:
+ from yaml import CSafeLoader as yaml_SafeLoader
+@@ -139,10 +140,11 @@ def open_raw(yaml_file):
+
+ def open_environment(build_config_yaml, product_yaml):
+ contents = open_raw(build_config_yaml)
+- # Load common platform package mappings,
+- # any specific mapping in product_yaml will override the default
+- contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
+ contents.update(open_raw(product_yaml))
++ platform_package_overrides = contents.get("platform_package_overrides", {})
++ # Merge common platform package mappings, while keeping product specific mappings
++ contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE,
++ platform_package_overrides)
+ contents.update(_get_implied_properties(contents))
+ return contents
+
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
new file mode 100644
index 0000000..fc1fecd
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
@@ -0,0 +1,22 @@
+From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 29 Sep 2020 15:28:02 +0200
+Subject: [PATCH] Fix zIPL package mapping
+
+---
+ ssg/constants.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 0eca2f4f95..fa6c756ff6 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -470,7 +470,7 @@
+ "grub2": "grub2-pc",
+ "login_defs": "login",
+ "sssd": "sssd-common",
+- "zipl": "s390x-utils",
++ "zipl": "s390utils-base",
+ }
+
+ # _version_name_map = {
diff --git a/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
new file mode 100644
index 0000000..20310cb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
@@ -0,0 +1,16 @@
+From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 29 Sep 2020 15:04:39 +0200
+Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group
+
+This will put the rule under grub2 platform, so the rule is only
+applicable on a machine system with grub2.
+---
+ .../grub2_vsyscall_argument/rule.yml | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+similarity index 100%
+rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml
+rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index e098e0d..8430bd2 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.50
-Release: 14%{?dist}
+Release: 16%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -35,6 +35,23 @@ Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_58
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
+Patch27: scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
+Patch28: scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
+Patch29: scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
+Patch30: scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
+Patch31: scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
+Patch32: scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
+Patch33: scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
+# To ease backport, patch 33 also includes changes from #5995
+Patch34: scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
+Patch35: scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
+Patch36: scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
+Patch37: scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
+Patch38: scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
+Patch39: scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
+Patch40: scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
+Patch41: scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
+Patch42: scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
BuildArch: noarch
@@ -96,6 +113,22 @@ present in %{name} package.
%patch24 -p1
%patch25 -p1
%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
mkdir build
%build
@@ -130,6 +163,13 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Fri Oct 09 2020 Watson Sato <wsato@redhat.com> - 0.1.50-16
+- Fix Bash platform in empty remediations (rhbz#1886318)
+
+* Tue Oct 06 2020 Watson Sato <wsato@redhat.com> - 0.1.50-15
+- Add and select zIPL bootloader rules in OSPP (rhbz#1886318)
+- Add support for remediation platforms
+
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)