diff --git a/.gitignore b/.gitignore
index a0b3fab..573eb37 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.49.tar.bz2
+SOURCES/scap-security-guide-0.1.50.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index c49602b..d7de47e 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-abc5640ac0b212fbea8379036830f650dd2543db SOURCES/scap-security-guide-0.1.49.tar.bz2
+1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2
diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch
index d26c4b2..428ede7 100644
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@@ -9,7 +9,6 @@ Also disable tables for profiles that are not built.
rhel8/CMakeLists.txt | 2 --
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
- rhel8/profiles/hipaa.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
@@ -50,16 +49,6 @@ index eb62252a4..e8f369708 100644
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
-diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
-index 8d20f9019..d641b56fe 100644
---- a/rhel8/profiles/hipaa.profile
-+++ b/rhel8/profiles/hipaa.profile
-@@ -1,4 +1,4 @@
--documentation_complete: True
-+documentation_complete: false
-
- title: 'Health Insurance Portability and Accountability Act (HIPAA)'
-
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
new file mode 100644
index 0000000..e859c54
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
@@ -0,0 +1,71 @@
+From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 12 May 2020 08:17:20 +0200
+Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
+
+---
+ .../ansible/shared.yml | 33 +++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+new file mode 100644
+index 0000000000..5d76b3c073
+--- /dev/null
++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
+@@ -0,0 +1,33 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++- name: Configure daily log rotation in /etc/logrotate.conf
++ lineinfile:
++ create: yes
++ dest: "/etc/logrotate.conf"
++ regexp: "^daily$"
++ line: "daily"
++
++- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
++ lineinfile:
++ create: no
++ dest: "/etc/logrotate.conf"
++ regexp: "^(weekly|monthly|yearly)$"
++ state: absent
++
++- name: Configure cron.daily if not already
++ block:
++ - name: Add shebang
++ lineinfile:
++ path: "/etc/cron.daily/logrotate"
++ line: "#!/bin/sh"
++ insertbefore: BOF
++ create: yes
++ - name: Add logrotate call
++ lineinfile:
++ path: "/etc/cron.daily/logrotate"
++ line: '/usr/sbin/logrotate /etc/logrotate.conf'
++ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
+
+From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 12 May 2020 14:48:15 +0200
+Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
+
+Test scenario when monthly is there, but weekly is not.
+---
+ .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+new file mode 100644
+index 0000000000..b10362989b
+--- /dev/null
++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++sed -i "s/weekly/daily/g" /etc/logrotate.conf
++echo "monthly" >> /etc/logrotate.conf
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
new file mode 100644
index 0000000..a864ebf
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
@@ -0,0 +1,115 @@
+From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 May 2020 20:49:08 +0200
+Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
+
+---
+ .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
+ .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000000..a816eea390
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+@@ -0,0 +1,11 @@
++# profiles = xccdf_org.ssgproject.content_profile_cis
++# platform = Red Hat Enterprise Linux 8
++
++#!/bin/bash
++SSHD_CONFIG="/etc/ssh/sshd_config"
++
++if grep -q "^MaxSessions" $SSHD_CONFIG; then
++ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
++ else
++ echo "MaxSessions 4" >> $SSHD_CONFIG
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000000..b36125f5bb
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+@@ -0,0 +1,11 @@
++# profiles = xccdf_org.ssgproject.content_profile_cis
++# platform = Red Hat Enterprise Linux 8
++
++#!/bin/bash
++SSHD_CONFIG="/etc/ssh/sshd_config"
++
++if grep -q "^MaxSessions" $SSHD_CONFIG; then
++ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
++ else
++ echo "MaxSessions 10" >> $SSHD_CONFIG
++fi
+
+From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 May 2020 20:53:50 +0200
+Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
+
+---
+ .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
+ .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
+ .../tests/correct_value.pass.sh | 2 +-
+ .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
+ 4 files changed, 22 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+new file mode 100644
+index 0000000000..a7e171dfe9
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+@@ -0,0 +1,8 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++- (xccdf-var var_sshd_max_sessions)
++
++{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+new file mode 100644
+index 0000000000..fc0a1d8b42
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+@@ -0,0 +1,12 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++populate var_sshd_max_sessions
++
++{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+index a816eea390..4cc6d65988 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
+ if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+ else
+- echo "MaxSessions 4" >> $SSHD_CONFIG
++ echo "MaxSessions 4" >> $SSHD_CONFIG
+ fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+index b36125f5bb..bc0c47842a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
+ if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+ else
+- echo "MaxSessions 10" >> $SSHD_CONFIG
++ echo "MaxSessions 10" >> $SSHD_CONFIG
+ fi
diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
new file mode 100644
index 0000000..ff529ca
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
@@ -0,0 +1,147 @@
+From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 11:52:35 +0200
+Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
+
+Very likey a copy-pasta error from bash remediation for
+audit_rules_immutable
+---
+ .../audit_rules_system_shutdown/bash/shared.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+index 1c9748ce9b..b56513cdcd 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+@@ -8,7 +8,7 @@
+ # files to check if '-f .*' setting is present in that '*.rules' file already.
+ # If found, delete such occurrence since auditctl(8) manual page instructs the
+ # '-f 2' rule should be placed as the last rule in the configuration
+-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
+
+ # Append '-f 2' requirement at the end of both:
+ # * /etc/audit/audit.rules file (for auditctl case)
+
+From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 12:12:21 +0200
+Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
+
+Along with very basic test scenarios
+---
+ .../ansible/shared.yml | 28 +++++++++++++++++++
+ .../tests/augen_correct.pass.sh | 4 +++
+ .../tests/augen_e_2_immutable.fail.sh | 3 ++
+ 3 files changed, 35 insertions(+)
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+ create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+new file mode 100644
+index 0000000000..b9e8fa87fa
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
+@@ -0,0 +1,28 @@
++# platform = multi_platform_all
++# reboot = true
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: Collect all files from /etc/audit/rules.d with .rules extension
++ find:
++ paths: "/etc/audit/rules.d/"
++ patterns: "*.rules"
++ register: find_rules_d
++
++- name: Remove the -f option from all Audit config files
++ lineinfile:
++ path: "{{ item }}"
++ regexp: '^\s*(?:-f)\s+.*$'
++ state: absent
++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
++
++- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
++ lineinfile:
++ path: "{{ item }}"
++ create: True
++ line: "-f 2"
++ loop:
++ - "/etc/audit/audit.rules"
++ - "/etc/audit/rules.d/immutable.rules"
++
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+new file mode 100644
+index 0000000000..0587b937e0
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++echo "-e 2" > /etc/audit/rules.d/immutable.rules
++echo "-f 2" >> /etc/audit/rules.d/immutable.rules
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+new file mode 100644
+index 0000000000..fa5b7231df
+--- /dev/null
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "-e 2" > /etc/audit/rules.d/immutable.rules
+
+From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 14:06:08 +0200
+Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
+
+---
+ .../audit_rules_immutable/ansible/shared.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+index 5ac7b3dabb..1cafb744cc 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+@@ -17,7 +17,7 @@
+ state: absent
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
++- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: "{{ item }}"
+ create: True
+
+From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 11:02:56 +0200
+Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
+
+---
+ .../audit_rules_system_shutdown/bash/shared.sh | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+index b56513cdcd..a349bb1ca1 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+@@ -4,16 +4,8 @@
+ #
+ # /etc/audit/audit.rules, (for auditctl case)
+ # /etc/audit/rules.d/*.rules (for augenrules case)
+-#
+-# files to check if '-f .*' setting is present in that '*.rules' file already.
+-# If found, delete such occurrence since auditctl(8) manual page instructs the
+-# '-f 2' rule should be placed as the last rule in the configuration
+ find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
+
+-# Append '-f 2' requirement at the end of both:
+-# * /etc/audit/audit.rules file (for auditctl case)
+-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
+-
+ for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
+ do
+ echo '' >> $AUDIT_FILE
diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
new file mode 100644
index 0000000..2b5acdc
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
@@ -0,0 +1,49 @@
+From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 21 May 2020 18:16:43 +0200
+Subject: [PATCH] Attribute content to CIS
+
+And update the description a bit.
+---
+ rhel7/profiles/cis.profile | 8 +++++---
+ rhel8/profiles/cis.profile | 8 +++++---
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
+index 0826a49547..829c388133 100644
+--- a/rhel7/profiles/cis.profile
++++ b/rhel7/profiles/cis.profile
+@@ -3,9 +3,11 @@ documentation_complete: true
+ title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
+
+ description: |-
+- This baseline aligns to the Center for Internet Security
+- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
+- 12-27-2017.
++ This profile defines a baseline that aligns to the Center for Internet Security®
++ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
++
++ This profile includes Center for Internet Security®
++ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
+
+ selections:
+ # Necessary for dconf rules
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index f332ee5462..868b9f21a6 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -3,9 +3,11 @@ documentation_complete: true
+ title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+
+ description: |-
+- This baseline aligns to the Center for Internet Security
+- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
+- 09-30-2019.
++ This profile defines a baseline that aligns to the Center for Internet Security®
++ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
++
++ This profile includes Center for Internet Security®
++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+ selections:
+ # Necessary for dconf rules
diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
new file mode 100644
index 0000000..3c4f3b1
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
@@ -0,0 +1,274 @@
+From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 25 May 2020 12:17:48 +0200
+Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
+
+---
+ rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
+ rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
+ 2 files changed, 250 insertions(+)
+ create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
+ create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
+
+diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
+new file mode 100644
+index 0000000000..14c82c4231
+--- /dev/null
++++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
+@@ -0,0 +1,125 @@
++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
++# Version: 0.0.1
++# Date: 2020-05-25
++#
++# Based on:
++# http://fedoraproject.org/wiki/Anaconda/Kickstart
++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
++
++# Install a fresh new system (optional)
++install
++
++# Specify installation method to use for installation
++# To use a different one comment out the 'url' one below, update
++# the selected choice with proper options & un-comment it
++#
++# Install from an installation tree on a remote server via FTP or HTTP:
++# --url the URL to install from
++#
++# Example:
++#
++# url --url=http://192.168.122.1/image
++#
++# Modify concrete URL in the above example appropriately to reflect the actual
++# environment machine is to be installed in
++#
++# Other possible / supported installation methods:
++# * install from the first CD-ROM/DVD drive on the system:
++#
++# cdrom
++#
++# * install from a directory of ISO images on a local drive:
++#
++# harddrive --partition=hdb2 --dir=/tmp/install-tree
++#
++# * install from provided NFS server:
++#
++# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
++#
++
++# Set language to use during installation and the default language to use on the installed system (required)
++lang en_US.UTF-8
++
++# Set system keyboard type / layout (required)
++keyboard us
++
++# Configure network information for target system and activate network devices in the installer environment (optional)
++# --onboot enable device at a boot time
++# --device device to be activated and / or configured with the network command
++# --bootproto method to obtain networking configuration for device (default dhcp)
++# --noipv6 disable IPv6 on this device
++#
++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
++# "--bootproto=static" must be used. For example:
++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
++#
++network --onboot yes --device eth0 --bootproto dhcp --noipv6
++
++# Set the system's root password (required)
++# Plaintext password is: server
++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
++# encrypted password form for different plaintext password
++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
++
++# The selected profile will restrict root login
++# Add a user that can login and escalate privileges
++# Plaintext password is: admin123
++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
++
++# Configure firewall settings for the system (optional)
++# --enabled reject incoming connections that are not in response to outbound requests
++# --ssh allow sshd service through the firewall
++firewall --enabled --ssh
++
++# Set up the authentication options for the system (required)
++# --enableshadow enable shadowed passwords by default
++# --passalgo hash / crypt algorithm for new passwords
++# See the manual page for authconfig for a complete list of possible options.
++authconfig --enableshadow --passalgo=sha512
++
++# State of SELinux on the installed system (optional)
++# Defaults to enforcing
++selinux --enforcing
++
++# Set the system time zone (required)
++timezone --utc America/New_York
++
++# Specify how the bootloader should be installed (required)
++# Plaintext password is: password
++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
++# encrypted password form for different plaintext password
++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
++
++# Initialize (format) all disks (optional)
++zerombr
++
++# The following partition layout scheme assumes disk of size 20GB or larger
++# Modify size of partitions appropriately to reflect actual machine's hardware
++#
++# Remove Linux partitions from the system prior to creating new ones (optional)
++# --linux erase all Linux partitions
++# --initlabel initialize the disk label to the default based on the underlying architecture
++clearpart --linux --initlabel
++
++# Create primary system partitions (required for installs)
++autopart
++
++# Harden installation with HIPAA profile
++# For more details and configuration options see command %addon org_fedora_oscap in
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
++%addon org_fedora_oscap
++ content-type = scap-security-guide
++ profile = xccdf_org.ssgproject.content_profile_hipaa
++%end
++
++# Packages selection (%packages section is required)
++%packages
++
++# Require @Base
++@Base
++
++%end # End of %packages section
++
++# Reboot after the installation is complete (optional)
++# --eject attempt to eject CD or DVD media before rebooting
++reboot --eject
+diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
+new file mode 100644
+index 0000000000..861db36f18
+--- /dev/null
++++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
+@@ -0,0 +1,125 @@
++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
++# Version: 0.0.1
++# Date: 2020-05-25
++#
++# Based on:
++# http://fedoraproject.org/wiki/Anaconda/Kickstart
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
++
++# Install a fresh new system (optional)
++install
++
++# Specify installation method to use for installation
++# To use a different one comment out the 'url' one below, update
++# the selected choice with proper options & un-comment it
++#
++# Install from an installation tree on a remote server via FTP or HTTP:
++# --url the URL to install from
++#
++# Example:
++#
++# url --url=http://192.168.122.1/image
++#
++# Modify concrete URL in the above example appropriately to reflect the actual
++# environment machine is to be installed in
++#
++# Other possible / supported installation methods:
++# * install from the first CD-ROM/DVD drive on the system:
++#
++# cdrom
++#
++# * install from a directory of ISO images on a local drive:
++#
++# harddrive --partition=hdb2 --dir=/tmp/install-tree
++#
++# * install from provided NFS server:
++#
++# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
++#
++
++# Set language to use during installation and the default language to use on the installed system (required)
++lang en_US.UTF-8
++
++# Set system keyboard type / layout (required)
++keyboard us
++
++# Configure network information for target system and activate network devices in the installer environment (optional)
++# --onboot enable device at a boot time
++# --device device to be activated and / or configured with the network command
++# --bootproto method to obtain networking configuration for device (default dhcp)
++# --noipv6 disable IPv6 on this device
++#
++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
++# "--bootproto=static" must be used. For example:
++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
++#
++network --onboot yes --device eth0 --bootproto dhcp --noipv6
++
++# Set the system's root password (required)
++# Plaintext password is: server
++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
++# encrypted password form for different plaintext password
++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
++
++# The selected profile will restrict root login
++# Add a user that can login and escalate privileges
++# Plaintext password is: admin123
++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
++
++# Configure firewall settings for the system (optional)
++# --enabled reject incoming connections that are not in response to outbound requests
++# --ssh allow sshd service through the firewall
++firewall --enabled --ssh
++
++# Set up the authentication options for the system (required)
++# sssd profile sets sha512 to hash passwords
++# passwords are shadowed by default
++# See the manual page for authselect-profile for a complete list of possible options.
++authselect select sssd
++
++# State of SELinux on the installed system (optional)
++# Defaults to enforcing
++selinux --enforcing
++
++# Set the system time zone (required)
++timezone --utc America/New_York
++
++# Specify how the bootloader should be installed (required)
++# Plaintext password is: password
++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
++# encrypted password form for different plaintext password
++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
++
++# Initialize (format) all disks (optional)
++zerombr
++
++# The following partition layout scheme assumes disk of size 20GB or larger
++# Modify size of partitions appropriately to reflect actual machine's hardware
++#
++# Remove Linux partitions from the system prior to creating new ones (optional)
++# --linux erase all Linux partitions
++# --initlabel initialize the disk label to the default based on the underlying architecture
++clearpart --linux --initlabel
++
++# Create primary system partitions (required for installs)
++autopart
++
++# Harden installation with HIPAA profile
++# For more details and configuration options see
++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
++%addon org_fedora_oscap
++ content-type = scap-security-guide
++ profile = xccdf_org.ssgproject.content_profile_hipaa
++%end
++
++# Packages selection (%packages section is required)
++%packages
++
++# Require @Base
++@Base
++
++%end # End of %packages section
++
++# Reboot after the installation is complete (optional)
++# --eject attempt to eject CD or DVD media before rebooting
++reboot --eject
diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
new file mode 100644
index 0000000..e6dc9cb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
@@ -0,0 +1,76 @@
+From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 22 May 2020 14:12:18 +0200
+Subject: [PATCH] Add missing CCEs for RHEL8
+
+---
+ .../password_storage/no_netrc_files/rule.yml | 1 +
+ .../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
+ .../file_groupownership_home_directories/rule.yml | 1 +
+ shared/references/cce-redhat-avail.txt | 3 ---
+ 4 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+index 8547893201..1bd1f5742e 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+@@ -18,6 +18,7 @@ severity: medium
+ identifiers:
+ cce@rhel6: 27225-2
+ cce@rhel7: 80211-6
++ cce@rhel8: 83444-0
+ cce@ocp4: 82667-7
+
+ references:
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+index bedf3a0b19..e69bc9d736 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+@@ -21,6 +21,7 @@ severity: medium
+
+ identifiers:
+ cce@rhel7: 80529-1
++ cce@rhel8: 83424-2
+
+ references:
+ stigid@ol7: "020620"
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+index 1c5ac8d099..f931f6d160 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+@@ -20,6 +20,7 @@ severity: medium
+
+ identifiers:
+ cce@rhel7: 80532-5
++ cce@rhel8: 83434-1
+
+ references:
+ stigid@ol7: "020650"
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 2f0d2a526b..45d03a2c1d 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -95,7 +95,6 @@ CCE-83411-9
+ CCE-83421-8
+ CCE-83422-6
+ CCE-83423-4
+-CCE-83424-2
+ CCE-83425-9
+ CCE-83426-7
+ CCE-83427-5
+@@ -105,7 +104,6 @@ CCE-83430-9
+ CCE-83431-7
+ CCE-83432-5
+ CCE-83433-3
+-CCE-83434-1
+ CCE-83435-8
+ CCE-83436-6
+ CCE-83437-4
+@@ -115,7 +113,6 @@ CCE-83440-8
+ CCE-83441-6
+ CCE-83442-4
+ CCE-83443-2
+-CCE-83444-0
+ CCE-83445-7
+ CCE-83446-5
+ CCE-83447-3
diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
new file mode 100644
index 0000000..b435b97
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
@@ -0,0 +1,103 @@
+From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 13:30:24 +0200
+Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
+
+---
+ .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+index e9a29a24d5..6fbb7c72a5 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+@@ -3,13 +3,9 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+-- name: Test for existence of /etc/securetty
+- stat:
+- path: /etc/securetty
+- register: securetty_empty
++
+
+ - name: "Direct root Logins Not Allowed"
+ copy:
+ dest: /etc/securetty
+ content: ""
+- when: securetty_empty.stat.size > 1
+
+From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 14:21:38 +0200
+Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
+
+---
+ shared/templates/template_ANSIBLE_sebool | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
+index 29f37081be..38d7c7c350 100644
+--- a/shared/templates/template_ANSIBLE_sebool
++++ b/shared/templates/template_ANSIBLE_sebool
+@@ -13,11 +13,17 @@
+ {{% else %}}
+ - (xccdf-var var_{{{ SEBOOLID }}})
+
++{{% if product == "rhel8" %}}
++- name: Ensure python3-libsemanage installed
++ package:
++ name: python3-libsemanage
++ state: present
++{{% else %}}
+ - name: Ensure libsemanage-python installed
+ package:
+ name: libsemanage-python
+ state: present
+-
++{{% endif %}}
+ - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
+ seboolean:
+ name: {{{ SEBOOLID }}}
+
+From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 May 2020 14:57:05 +0200
+Subject: [PATCH 3/3] add tests for no_direct_root_logins
+
+---
+ .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
+ .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
+ .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
+ 3 files changed, 9 insertions(+)
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+ create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..17251f6a98
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo > /etc/securetty
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+new file mode 100644
+index 0000000000..c764814b26
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++rm -f /etc/securetty
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+new file mode 100644
+index 0000000000..43ac341e87
+--- /dev/null
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "something" > /etc/securetty
diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
new file mode 100644
index 0000000..5c6664f
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
@@ -0,0 +1,308 @@
+From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Tue, 26 May 2020 17:49:21 +0200
+Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
+
+Affected rules:
+ - selinux_policytype
+ - selinux_state
+---
+ .../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
+ .../selinux/selinux_policytype/bash/shared.sh | 5 +++--
+ .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
+ .../selinux/selinux_state/ansible/shared.yml | 9 ++-------
+ .../system/selinux/selinux_state/bash/shared.sh | 5 +++--
+ .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
+ .../tests/selinux_permissive.fail.sh | 10 ++++++++++
+ shared/macros-ansible.jinja | 11 +++++++++++
+ shared/macros-bash.jinja | 15 +++++++++++++++
+ 9 files changed, 61 insertions(+), 18 deletions(-)
+ create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+ create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+ create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+index 5c70cc9f7f..9f8cf66dfb 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+@@ -3,11 +3,6 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+ - (xccdf-var var_selinux_policy_name)
+
+-- name: "{{{ rule_title }}}"
+- lineinfile:
+- path: /etc/sysconfig/selinux
+- regexp: '^SELINUXTYPE='
+- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
+- create: yes
++{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+index d0fbbf4446..2b5ce31b12 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+@@ -1,7 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+-#
++
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
++
+ populate var_selinux_policy_name
+
+-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
++{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+new file mode 100644
+index 0000000000..1a6eb94953
+--- /dev/null
++++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
++
++SELINUX_FILE='/etc/selinux/config'
++
++if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
++ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
++else
++ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
++fi
+diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+index b465ac6729..1c1560a86c 100644
+--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
++++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+@@ -3,11 +3,6 @@
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+ - (xccdf-var var_selinux_state)
+
+-- name: "{{{ rule_title }}}"
+- lineinfile:
+- path: /etc/sysconfig/selinux
+- regexp: '^SELINUX='
+- line: "SELINUX={{ var_selinux_state }}"
+- create: yes
++{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+index 58193b5504..a402a861d7 100644
+--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+@@ -1,10 +1,11 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+-#
++
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
++
+ populate var_selinux_state
+
+-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
++{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
+
+ fixfiles onboot
+ fixfiles -f relabel
+diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+new file mode 100644
+index 0000000000..180dd80791
+--- /dev/null
++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
+@@ -0,0 +1,5 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
++
++SELINUX_FILE='/etc/selinux/config'
++sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
+diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+new file mode 100644
+index 0000000000..3db1e56b5f
+--- /dev/null
++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
+@@ -0,0 +1,10 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
++
++SELINUX_FILE='/etc/selinux/config'
++
++if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
++ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
++else
++ echo 'SELINUX=permissive' >> $SELINUX_FILE
++fi
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 6798a25d1f..01d3155b37 100644
+--- a/shared/macros-ansible.jinja
++++ b/shared/macros-ansible.jinja
+@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
+ {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+ {{%- endmacro %}}
+
++{{#
++ High level macro to set a parameter in /etc/selinux/config.
++ Parameters:
++ - msg: the name for the Ansible task
++ - parameter: parameter to be set in the configuration file
++ - value: value of the parameter
++#}}
++{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
++{{%- endmacro %}}
++
+ {{#
+ Generates an Ansible task that puts 'contents' into a file at 'filepath'
+ Parameters:
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 3a94fe5dd8..2531d1c52d 100644
+--- a/shared/macros-bash.jinja
++++ b/shared/macros-bash.jinja
+@@ -86,6 +86,21 @@ populate {{{ name }}}
+ }}}
+ {{%- endmacro -%}}
+
++{{%- macro bash_selinux_config_set(parameter, value) -%}}
++{{{ set_config_file(
++ path="/etc/selinux/config",
++ parameter=parameter,
++ value=value,
++ create=true,
++ insert_after="",
++ insert_before="",
++ insensitive=true,
++ separator="=",
++ separator_regex="\s*=\s*",
++ prefix_regex="^\s*")
++ }}}
++{{%- endmacro -%}}
++
+ {{#
+ # Install a package
+ # Uses the right command based on pkg_manger proprerty defined in product.yaml.
+
+From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Wed, 27 May 2020 18:48:57 +0200
+Subject: [PATCH 2/2] Remediation requires reboot.
+
+Update OVAL check to disallow spaces.
+Removed selinuxtype_minimum test scenario since breaks the system.
+---
+ .../selinux/selinux_policytype/ansible/shared.yml | 2 +-
+ .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
+ .../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
+ .../tests/selinuxtype_minimum.fail.sh | 10 ----------
+ .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
+ .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
+ shared/macros-ansible.jinja | 2 +-
+ shared/macros-bash.jinja | 4 ++--
+ 8 files changed, 14 insertions(+), 16 deletions(-)
+ delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+index 9f8cf66dfb..73e6ec7cd4 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+@@ -1,5 +1,5 @@
+ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+-# reboot = false
++# reboot = true
+ # strategy = restrict
+ # complexity = low
+ # disruption = low
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+index 2b5ce31b12..b4f79c97f9 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+@@ -1,4 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
++# reboot = true
++# strategy = restrict
++# complexity = low
++# disruption = low
+
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+index f1840a1290..3d69fff07f 100644
+--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
++++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+@@ -27,7 +27,7 @@
+
+ <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
+ <ind:filepath>/etc/selinux/config</ind:filepath>
+- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
++ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ </def-group>
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+deleted file mode 100644
+index 1a6eb94953..0000000000
+--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
++++ /dev/null
+@@ -1,10 +0,0 @@
+-#!/bin/bash
+-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+-
+-SELINUX_FILE='/etc/selinux/config'
+-
+-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+-else
+- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+-fi
+diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+index a402a861d7..645a7acab4 100644
+--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+@@ -1,4 +1,8 @@
+ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
++# reboot = true
++# strategy = restrict
++# complexity = low
++# disruption = low
+
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+index c0881696e1..8c328060af 100644
+--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
++++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+@@ -18,7 +18,7 @@
+
+ <ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
+ <ind:filepath>/etc/selinux/config</ind:filepath>
+- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
++ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 01d3155b37..580a0b948e 100644
+--- a/shared/macros-ansible.jinja
++++ b/shared/macros-ansible.jinja
+@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
+ - value: value of the parameter
+ #}}
+ {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
+ {{%- endmacro %}}
+
+ {{#
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 2531d1c52d..8abcc914d3 100644
+--- a/shared/macros-bash.jinja
++++ b/shared/macros-bash.jinja
+@@ -96,8 +96,8 @@ populate {{{ name }}}
+ insert_before="",
+ insensitive=true,
+ separator="=",
+- separator_regex="\s*=\s*",
+- prefix_regex="^\s*")
++ separator_regex="=",
++ prefix_regex="^")
+ }}}
+ {{%- endmacro -%}}
+
diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
new file mode 100644
index 0000000..1e028b7
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
@@ -0,0 +1,40 @@
+From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 15 May 2020 23:36:18 +0200
+Subject: [PATCH] Ansible mount_option: split mount and option task
+
+Separate task that adds mount options mounts the mountpoint into two tasks.
+Conditioning the "mount" task on the absence of the target mount option
+caused the task to always be skipped when mount option was alredy present,
+and could result in the mount point not being mounted.
+---
+ shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
+index 95bede25f9..a0cf8d6b7a 100644
+--- a/shared/templates/template_ANSIBLE_mount_option
++++ b/shared/templates/template_ANSIBLE_mount_option
+@@ -26,14 +26,19 @@
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+
+-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
++- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
++ set_fact:
++ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
++ when:
++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
++
++- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
+ mount:
+ path: "{{{ MOUNTPOINT }}}"
+ src: "{{ mount_info.source }}"
+- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
++ opts: "{{ mount_info.options }}"
+ state: "mounted"
+ fstype: "{{ mount_info.fstype }}"
+ when:
+- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+ - device_name.stdout is defined
+ - (device_name.stdout | length > 0)
diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
new file mode 100644
index 0000000..47b9cdb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
@@ -0,0 +1,33 @@
+From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 14 May 2020 16:46:07 +0200
+Subject: [PATCH] reorder groups because of permissions verification
+
+---
+ ssg/build_yaml.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
+index e3e138283c..c9f3179c08 100644
+--- a/ssg/build_yaml.py
++++ b/ssg/build_yaml.py
+@@ -700,6 +700,11 @@ def to_xml_element(self):
+ # audit_rules_privileged_commands, othervise the rule
+ # does not catch newly installed screeen binary during remediation
+ # and report fail
++ # the software group should come before the
++ # bootloader-grub2 group because of conflict between
++ # rules rpm_verify_permissions and file_permissions_grub2_cfg
++ # specific rules concerning permissions should
++ # be applied after the general rpm_verify_permissions
+ # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
+ # the firewalld_activation must come before ruleset_modifications, othervise
+ # remediations for ruleset_modifications won't work
+@@ -707,6 +712,7 @@ def to_xml_element(self):
+ # otherwise the remediation prints error although it is successful
+ priority_order = [
+ "accounts", "auditing",
++ "software", "bootloader-grub2",
+ "fips", "crypto",
+ "firewalld_activation", "ruleset_modifications",
+ "disabling_ipv6", "configuring_ipv6"
diff --git a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
new file mode 100644
index 0000000..4b69221
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
@@ -0,0 +1,1216 @@
+From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001
+From: Shawn Wells <shawn@redhat.com>
+Date: Sun, 29 Mar 2020 00:58:02 -0400
+Subject: [PATCH 01/20] update CIS RHEL8 profile
+
+---
+ .../service_crond_enabled/rule.yml | 2 +-
+ .../r_services/no_rsh_trust_files/rule.yml | 8 +-
+ .../rule.yml | 2 +-
+ .../account_unique_name/rule.yml | 11 +-
+ .../accounts_maximum_age_login_defs/rule.yml | 2 +-
+ .../accounts_minimum_age_login_defs/rule.yml | 1 +
+ .../rule.yml | 1 +
+ .../var_accounts_maximum_age_login_defs.var | 1 +
+ .../password_storage/no_netrc_files/rule.yml | 4 +-
+ .../accounts_no_uid_except_zero/rule.yml | 2 +-
+ .../no_direct_root_logins/rule.yml | 2 +-
+ .../rule.yml | 1 +
+ .../accounts-session/accounts_tmout/rule.yml | 1 +
+ .../rule.yml | 1 +
+ .../rule.yml | 1 +
+ .../file_permissions_home_dirs/rule.yml | 4 +-
+ .../rsyslog_files_permissions/rule.yml | 2 +-
+ .../ensure_logrotate_activated/rule.yml | 1 +
+ .../package_rsyslog_installed/rule.yml | 2 +-
+ .../rsyslog_nolisten/rule.yml | 2 +
+ .../rsyslog_remote_loghost/rule.yml | 4 +-
+ .../logging/service_rsyslog_enabled/rule.yml | 2 +-
+ rhel8/profiles/cis.profile | 141 ++++++++++++------
+ shared/references/cce-redhat-avail.txt | 2 -
+ 24 files changed, 137 insertions(+), 63 deletions(-)
+
+diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+index a1f82cf5c9..09d1a92a55 100644
+--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
+@@ -24,7 +24,7 @@ identifiers:
+ references:
+ stigid@rhel6: "000224"
+ srg@rhel6: SRG-OS-999999
+- cis: 5.1.1
++ cis@rhel8: 5.1.1
+ hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
+ nist: CM-6(a)
+ nist-csf: PR.IP-1,PR.PT-3
+diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
+index 2ccf4127b7..ec2fa6c012 100644
+--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
+@@ -12,9 +12,9 @@ description: |-
+ <pre>$ rm ~/.rhosts</pre>
+
+ rationale: |-
+- Trust files are convenient, but when
+- used in conjunction with the R-services, they can allow
+- unauthenticated access to a system.
++ This action is only meaningful if <tt>.rhosts</tt> support is permitted
++ through PAM. Trust files are convenient, but when used in conjunction with
++ the R-services, they can allow unauthenticated access to a system.
+
+ severity: high
+
+@@ -26,7 +26,7 @@ identifiers:
+ references:
+ stigid@rhel6: "000019"
+ srg@rhel6: SRG-OS-000248
+- cis: 6.2.14
++ cis@rhel8: 6.2.13
+ disa: "1436"
+ hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
+ nist: CM-7(a),CM-7(b),CM-6(a)
+diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+index fff30d70c7..7a1538392a 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+@@ -43,7 +43,7 @@ references:
+ stigid@rhel6: "000062"
+ srg@rhel6: SRG-OS-000120
+ disa@rhel6: '803'
+- cis: 6.3.1
++ cis@rhel8: 5.4.4
+ cjis: 5.6.2.2
+ cui: 3.13.11
+ disa: "196"
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+index 2cdafc0609..35652a410b 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+@@ -2,9 +2,15 @@ documentation_complete: true
+
+ title: 'Ensure All Accounts on the System Have Unique Names'
+
+-description: 'Change usernames, or delete accounts, so each has a unique name.'
++description: |-
++ Although the <tt>useradd</tt> utility prevents creation of duplicate user
++ names, it is possible for a malicious administrator to manually edit the
++ <tt>/etc/passwd</tt> file and change the user name.
+
+-rationale: 'Unique usernames allow for accountability on the system.'
++rationale: |-
++ If a user is assigned a duplicate user name, the new user will be able to
++ create and have access to files with the first UID for that username as
++ defined in <tt>/etc/passwd</tt>.
+
+ severity: medium
+
+@@ -19,6 +25,7 @@ references:
+ cjis: 5.5.2
+ disa: 770,804
+ pcidss: Req-8.1.1
++ cis@rhel8: 6.2.17
+
+ ocil_clause: 'a line is returned'
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+index af1ea13d8f..c2c4aa11bc 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+@@ -34,7 +34,7 @@ references:
+ stigid@rhel6: "000053"
+ srg@rhel6: SRG-OS-000076
+ disa@rhel6: '180'
+- cis: 5.4.1.1
++ cis@rhel8: 5.5.1.1
+ cjis: 5.6.2.1
+ cui: 3.5.6
+ disa: "199"
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+index 2de12efb3e..6147d672a4 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+@@ -44,6 +44,7 @@ references:
+ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
+ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
+ cis-csc: 1,12,15,16,5
++ cis@rhel8: 5.5.1.2
+
+ ocil_clause: 'it is not equal to or greater than the required value'
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
+index 3a5c00708d..2a1005bd20 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
+@@ -33,6 +33,7 @@ references:
+ cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
+ iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+ cis-csc: 1,12,13,14,15,16,18,3,5,7,8
++ cis@rhel8: 5.5.1.3
+
+ ocil_clause: 'it is not set to the required value'
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
+index 731f8f475f..11eb238c5d 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
+@@ -9,6 +9,7 @@ type: number
+ interactive: false
+
+ options:
++ 365: 365
+ 120: 120
+ 180: 180
+ 60: 60
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+index 01454a7274..8547893201 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+@@ -11,8 +11,7 @@ description: |-
+
+ rationale: |-
+ Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt>
+- files. DoD policy requires passwords be encrypted in storage and not used
+- in access scripts.
++ files.
+
+ severity: medium
+
+@@ -24,6 +23,7 @@ identifiers:
+ references:
+ stigid@rhel6: "000347"
+ srg@rhel6: SRG-OS-000073
++ cis@rhel8: 6.2.11
+ disa: "196"
+ nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7)
+ nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
+index 0b61daf925..14f9140687 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
+@@ -31,7 +31,7 @@ references:
+ stigid@ol7: "020310"
+ stigid@rhel6: "000032"
+ srg@rhel6: SRG-OS-999999
+- cis: 6.2.5
++ cis@rhel8: 6.2.6
+ cui: 3.1.1,3.1.5
+ disa: "366"
+ nist: IA-2,AC-6(5),IA-4(b)
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
+index 1d08bde4d9..9e00f3aad6 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
+@@ -33,7 +33,7 @@ identifiers:
+ cce@ocp4: 82698-2
+
+ references:
+- cis: "5.5"
++ cis@rhel8: "5.6"
+ cui: 3.1.1,3.1.6
+ hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
+ nist: IA-2,CM-6(a)
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
+index ae8ba133b7..0c26ac3240 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
+@@ -35,6 +35,7 @@ references:
+ cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+ cis-csc: 12,13,14,15,16,18,3,5
++ cis@rhel8: "5.6"
+ srg: SRG-OS-000324-GPOS-00125
+
+ ocil_clause: 'root login over virtual console devices is permitted'
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+index 787f2264de..f09006b72b 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+@@ -38,6 +38,7 @@ references:
+ cobit5: DSS05.04,DSS05.10,DSS06.10
+ iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
+ cis-csc: 1,12,15,16
++ cis@rhel8: 5.5.3
+ anssi: NT28(R29)
+
+ ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+index e7e9a751a4..bedf3a0b19 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+@@ -27,6 +27,7 @@ references:
+ disa: "366"
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel7: "020620"
++ cis@rhel8: 6.2.20
+
+ ocil_clause: 'users home directory does not exist'
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+index d58884235e..1c5ac8d099 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+@@ -26,6 +26,7 @@ references:
+ disa: "366"
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel7: "020650"
++ cis@rhel8: 6.2.8
+
+ ocil_clause: 'the group ownership is incorrect'
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
+index 8812f9d123..27c190b5b1 100644
+--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
+@@ -22,11 +22,12 @@ rationale: |-
+ to one another's home directories, this can be provided using
+ groups or ACLs.
+
+-severity: unknown
++severity: medium
+
+ identifiers:
+ cce@rhel6: 26981-1
+ cce@rhel7: 80201-7
++ cce@rhel8: 84274-0
+
+ references:
+ disa: "225"
+@@ -37,6 +38,7 @@ references:
+ cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+ cis-csc: 12,13,14,15,16,18,3,5
++ cis@rhel8: 6.2.7
+
+ ocil_clause: 'the user home directory is group-writable or world-readable'
+
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
+index 4c1e69020b..aa6e0905ae 100644
+--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
+@@ -31,7 +31,7 @@ references:
+ anssi: NT28(R36)
+ stigid@rhel6: "000135"
+ srg@rhel6: SRG-OS-000206
+- cis: 4.2.1.3
++ cis@rhel8: 4.2.1.3
+ disa: "1314"
+ nist: CM-6(a),AC-6(1)
+ pcidss: Req-10.5.1,Req-10.5.2
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+index def9566692..2c41a3b9ef 100644
+--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+@@ -35,6 +35,7 @@ references:
+ cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
+ iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
+ cis-csc: 1,14,15,16,3,5,6
++ cis@rhel8: 4.3
+ anssi: NT28(R43),NT12(R18)
+
+ ocil_clause: 'logrotate is not configured to run daily'
+diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+index 9f00dd9704..00fecf8a3c 100644
+--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+@@ -18,7 +18,7 @@ identifiers:
+ references:
+ cis@debian8: 5.1.1
+ anssi: NT28(R5),NT28(R46)
+- cis: 4.2.3
++ cis@rhel8: 4.2.1.1
+ disa: 1311,1312
+ hipaa: 164.312(a)(2)(ii)
+ iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
+diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
+index 8a5a15e1da..14e729252c 100644
+--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
+@@ -26,6 +26,7 @@ severity: medium
+ identifiers:
+ cce@rhel6: 26803-7
+ cce@rhel7: 80192-8
++ cce@rhel8: 84275-7
+
+ references:
+ stigid@ol7: "031010"
+@@ -39,3 +40,4 @@ references:
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+ cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
+ stigid@rhel7: "031010"
++ cis@rhel8: 4.2.1.6
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index 7b70b0c186..da28b99561 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -46,8 +46,8 @@ references:
+ anssi: NT28(R7),NT28(R43),NT12(R5)
+ stigid@rhel6: "000136"
+ srg@rhel6: SRG-OS-000043,SRG-OS-000215
+- cis: 4.2.1.4
+- disa: 136,366,1348,1851
++ cis@rhel8: 4.2.1.5
++ disa: 366,1348,136,1851
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii)
+ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1
+ nist: CM-6(a),AU-4(1),AU-9(2)
+diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
+index ce8347c686..92fd6bc4d8 100644
+--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
+@@ -20,7 +20,7 @@ identifiers:
+ references:
+ cis@debian8: 5.1.2
+ anssi: NT28(R5),NT28(R46)
+- cis: 4.2.1.1
++ cis@rhel8: 4.2.1.2
+ disa: 1311,1312,1557,1851
+ hipaa: 164.312(a)(2)(ii)
+ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index cc0c2a5b9a..528f17d696 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -602,87 +602,88 @@ selections:
+
+ ### 4.1.9 Ensure discretionary access control permission modification
+ ### events are collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
+
+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+ ### collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
+
+ ### 4.1.11 Ensure events that modify user/group information are
+ ### collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
+
+ ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
+
+ ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
+
+ ### 4.1.14 Ensure file deletion events by users are collected
+ ### (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
+
+ ### 4.1.15 Ensure kernel module loading and unloading is collected
+ ### (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
+
+ ### 4.1.16 Ensure system administrator actions (sudolog) are
+ ### collected (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
+
+ ### 4.1.17 Ensure the audit configuration is immutable (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
+
+ ## 4.2 Configure Logging
+
+ ### 4.2.1 Configure rsyslog
+
+ #### 4.2.1.1 Ensure rsyslog is installed (Scored)
+-
++ - package_rsyslog_installed
+
+ #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
+-
++ - service_rsyslog_enabled
+
+ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+-
++ - rsyslog_files_permissions
+
+ #### 4.2.1.4 Ensure logging is configured (Not Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
+
+ #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
+ #### log host (Scored)
+-
++ - rsyslog_remote_loghost
+
+ #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
+ #### designated log hosts (Not Scored)
+-
++ - rsyslog_nolisten
+
+ ### 4.2.2 Configure journald
+
+ #### 4.2.2.1 Ensure journald is configured to send logs to
+ #### rsyslog (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
+
+ #### 4.2.2.2 Ensure journald is configured to compress large
+ #### log files (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
+
+
+ #### 4.2.2.3 Ensure journald is configured to write logfiles to
+ #### persistent disk (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
+
+ ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
+
+ ## 4.3 Ensure logrotate is conifgured (Not Scored)
+-
++ - ensure_logrotate_activated
+
+ # 5 Access, Authentication and Authorization
+
+ ## 5.1 Configure cron
+
+-
+ ### 5.1.1 Ensure cron daemon is enabled (Scored)
++ - service_crond_enabled
+
+
+ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+@@ -790,19 +791,19 @@ selections:
+
+ ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
+ ### or less (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
+
+ ### 5.2.15 Ensure SSH warning banner is configured (Scored)
+ - sshd_enable_warning_banner
+
+ ### 5.2.16 Ensure SSH PAM is enabled (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
+
+ ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
+ - sshd_disable_tcp_forwarding
+
+ ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
+
+ ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
+ - sshd_set_max_sessions
+@@ -815,69 +816,75 @@ selections:
+
+
+ ### 5.3.1 Create custom authselectet profile (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
+
+ ### 5.3.2 Select authselect profile (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
+
+ ### 5.3.3 Ensure authselect includes with-faillock (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
+
+ ## 5.4 Configure PAM
+
+ ### 5.4.1 Ensure password creation requirements are configured (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
+
+ ### 5.4.2 Ensure lockout for failed password attempts is
+ ### configured (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
+
+ ### 5.4.3 Ensure password reuse is limited (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
+
+ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
+-
++ - set_password_hashing_algorithm_systemauth
+
+ ## 5.5 User Accounts and Environment
+
+ ### 5.5.1 Set Shadow Password Suite Parameters
+
+ #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
+-
++ - var_accounts_maximum_age_login_defs=365
++ - accounts_maximum_age_login_defs
+
+ #### 5.5.1.2 Ensure minimum days between password changes is 7
+ #### or more (Scored)
+-
++ - var_accounts_minimum_age_login_defs=7
++ - accounts_minimum_age_login_defs
+
+ #### 5.5.1.3 Ensure password expiration warning days is
+ #### 7 or more (Scored)
+-
++ - var_accounts_password_warn_age_login_defs=7
++ - accounts_password_warn_age_login_defs
+
+ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
+
+ #### 5.5.1.5 Ensure all users last password change date is
+ #### in the past (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
+
+ ### 5.5.2 Ensure system accounts are secured (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
+
+ ### 5.5.3 Ensure default user shell timeout is 900 seconds
+ ### or less (Scored)
+-
++ - var_accounts_tmout=15_min
++ - accounts_tmout
+
+ ### 5.5.4 Ensure default group for the root account is
+ ### GID 0 (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
+
+ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
+-
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
+
+ ## 5.6 Ensure root login is restricted to system console (Not Scored)
+-
++ - securetty_root_login_console_only
++ - no_direct_root_logins
+
+ ## 5.7 Ensure access to the su command is restricted (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
+
+ # System Maintenance
+
+@@ -971,8 +978,58 @@ selections:
+ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+ - no_legacy_plus_entries_etc_passwd
+
+- ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
++ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+ - no_legacy_plus_entries_etc_shadow
+
+- ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
++ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+ - no_legacy_plus_entries_etc_group
++
++ ### 6.2.6 Ensure root is the only UID 0 account (Scored)
++ - accounts_no_uid_except_zero
++
++ ### 6.2.7 Ensure users' home directories permissions are 750
++ ### or more restrictive (Scored)
++ - file_permissions_home_dirs
++
++ ### 6.2.8 Ensure users own their home directories (Scored)
++ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
++ - file_groupownership_home_directories
++
++ ### 6.2.9 Ensure users' dot files are not group or world
++ ### writable (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
++
++ ### 6.2.10 Ensure no users have .forward files (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
++
++ ### 6.2.11 Ensure no users have .netrc files (Scored)
++ - no_netrc_files
++
++ ### 6.2.12 Ensure users' .netrc Files are not group or
++ ### world accessible (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
++
++ ### 6.2.13 Ensure no users have .rhosts files (Scored)
++ - no_rsh_trust_files
++
++ ### 6.2.14 Ensure all groups in /etc/passwd exist in
++ ### /etc/group (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
++
++ ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
++
++ ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
++
++ ### 6.2.17 Ensure no duplicate user names exist (Scored)
++ - account_unique_name
++
++ ### 6.2.18 Ensure no duplicate group names exist (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
++
++ ### 6.2.19 Ensure shadow group is empty (Scored)
++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
++
++ ### 6.2.20 Ensure all users' home directories exist (Scored)
++ - accounts_user_interactive_home_directory_exists
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index feb31b0395..9e7bd35178 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -901,8 +901,6 @@ CCE-84270-8
+ CCE-84271-6
+ CCE-84272-4
+ CCE-84273-2
+-CCE-84274-0
+-CCE-84275-7
+ CCE-84276-5
+ CCE-84277-3
+ CCE-84278-1
+
+From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001
+From: Shawn Wells <shawn@shawndwells.io>
+Date: Sat, 25 Apr 2020 18:52:21 -0400
+Subject: [PATCH 02/20] misc cis8 updates
+
+---
+ .../accounts_users_home_files_ownership/rule.yml | 1 +
+ .../logging/log_rotation/ensure_logrotate_activated/rule.yml | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
+index a9c73e46ac..8e225cdc64 100644
+--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
+@@ -24,6 +24,7 @@ references:
+ stigid@ol7: "020660"
+ disa: "366"
+ srg: SRG-OS-000480-GPOS-00227
++ cis@rhel8: 6.2.8
+ stigid@rhel7: "020660"
+
+ ocil_clause: 'the user ownership is incorrect'
+diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+index 2c41a3b9ef..6e569edfa9 100644
+--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
+@@ -35,7 +35,7 @@ references:
+ cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
+ iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
+ cis-csc: 1,14,15,16,3,5,6
+- cis@rhel8: 4.3
++ cis@rhel8: "4.3"
+ anssi: NT28(R43),NT12(R18)
+
+ ocil_clause: 'logrotate is not configured to run daily'
+
+From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 22:32:44 +0200
+Subject: [PATCH 03/20] Add auxiliary rule for dconf settings
+
+---
+ rhel8/profiles/cis.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 528f17d696..202db7f693 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -8,6 +8,8 @@ description: |-
+ 09-30-2019.
+
+ selections:
++ # Necessary for dconf rules
++ - dconf_db_up_to_date
+
+ ### Partitioning
+ - mount_option_home_nodev
+
+From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 22:43:20 +0200
+Subject: [PATCH 04/20] Update time synchonization rule selections
+
+In RHEL8, only chrony is available
+---
+ rhel8/profiles/cis.profile | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 202db7f693..762d4a04e3 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -256,10 +256,12 @@ selections:
+ ### 2.2.1 Time Synchronization
+
+ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+- - service_chronyd_or_ntpd_enabled
++ - package_chrony_installed
+
+ #### 2.2.1.2 Ensure chrony is configured (Scored)
+- - chronyd_or_ntpd_specify_remote_server
++ - service_chronyd_enabled
++ - chronyd_specify_remote_server
++ - chronyd_run_as_chrony_user
+
+ ### 2.2.2 Ensure X Window System is not installed (Scored)
+ - package_xorg-x11-server-common_removed
+
+From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 22:49:55 +0200
+Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects
+
+Fixes: #5234
+Fixes: #5235
+---
+ rhel8/profiles/cis.profile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 762d4a04e3..3a8e19259b 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -371,14 +371,14 @@ selections:
+ - sysctl_net_ipv6_conf_all_accept_redirects
+
+ #### net.ipv6.conf.defaults.accept_redirects = 0
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234
++ - sysctl_net_ipv6_conf_default_accept_redirects
+
+ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
+ #### net.ipv4.conf.all.secure_redirects = 0
+ - sysctl_net_ipv4_conf_all_secure_redirects
+
+ #### net.ipv4.cof.default.secure_redirects = 0
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235
++ - sysctl_net_ipv4_conf_default_secure_redirects
+
+ ### 3.2.4 Ensure suspicious packets are logged (Scored)
+ #### net.ipv4.conf.all.log_martians = 1
+
+From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:02:09 +0200
+Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS
+
+Fixes: #5509
+---
+ rhel8/profiles/cis.profile | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 3a8e19259b..a990de4565 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -606,7 +606,19 @@ selections:
+
+ ### 4.1.9 Ensure discretionary access control permission modification
+ ### events are collected (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
++ - audit_rules_dac_modification_chmod
++ - audit_rules_dac_modification_fchmod
++ - audit_rules_dac_modification_fchmodat
++ - audit_rules_dac_modification_chown
++ - audit_rules_dac_modification_fchown
++ - audit_rules_dac_modification_fchownat
++ - audit_rules_dac_modification_lchown
++ - audit_rules_dac_modification_setxattr
++ - audit_rules_dac_modification_lsetxattr
++ - audit_rules_dac_modification_fsetxattr
++ - audit_rules_dac_modification_removexattr
++ - audit_rules_dac_modification_lremovexattr
++ - audit_rules_dac_modification_fremovexattr
+
+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+ ### collected (Scored)
+
+From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:07:34 +0200
+Subject: [PATCH 07/20] Select rules for unsuccessful modification
+
+Fixes: #5510
+---
+ rhel8/profiles/cis.profile | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index a990de4565..db54d9ece5 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -622,7 +622,13 @@ selections:
+
+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
+ ### collected (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
++ - audit_rules_unsuccessful_file_modification_creat
++ - audit_rules_unsuccessful_file_modification_open
++ - audit_rules_unsuccessful_file_modification_openat
++ - audit_rules_unsuccessful_file_modification_truncate
++ - audit_rules_unsuccessful_file_modification_ftruncate
++ # Opinionated selection
++ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+ ### 4.1.11 Ensure events that modify user/group information are
+ ### collected (Scored)
+
+From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:10:45 +0200
+Subject: [PATCH 08/20] Select rules for user/group modification
+
+Fixes: #5511
+---
+ rhel8/profiles/cis.profile | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index db54d9ece5..f8ec16b9a8 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -632,7 +632,11 @@ selections:
+
+ ### 4.1.11 Ensure events that modify user/group information are
+ ### collected (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
++ - audit_rules_usergroup_modification_passwd
++ - audit_rules_usergroup_modification_group
++ - audit_rules_usergroup_modification_gshadow
++ - audit_rules_usergroup_modification_shadow
++ - audit_rules_usergroup_modification_opasswd
+
+ ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
+
+From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:12:58 +0200
+Subject: [PATCH 09/20] Audit successful system mounts
+
+Fixes: #5512
+---
+ rhel8/profiles/cis.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index f8ec16b9a8..e4f5313e3e 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -639,7 +639,7 @@ selections:
+ - audit_rules_usergroup_modification_opasswd
+
+ ### 4.1.12 Ensure successful file system mounts are collected (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
++ - audit_rules_media_export
+
+ ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
+
+From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:14:21 +0200
+Subject: [PATCH 10/20] Audit privileged commands
+
+Fixes: #5513
+---
+ rhel8/profiles/cis.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index e4f5313e3e..087dd79bb5 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -642,7 +642,7 @@ selections:
+ - audit_rules_media_export
+
+ ### 4.1.13 Ensure use of privileged commands is collected (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
++ - audit_rules_privileged_commands
+
+ ### 4.1.14 Ensure file deletion events by users are collected
+ ### (Scored)
+
+From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:15:49 +0200
+Subject: [PATCH 11/20] Audit file deletion events
+
+Fixes: #5514
+---
+ rhel8/profiles/cis.profile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 087dd79bb5..ca42f24190 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -646,7 +646,12 @@ selections:
+
+ ### 4.1.14 Ensure file deletion events by users are collected
+ ### (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
++ - audit_rules_file_deletion_events_unlink
++ - audit_rules_file_deletion_events_unlinkat
++ - audit_rules_file_deletion_events_rename
++ - audit_rules_file_deletion_events_renameat
++ # Opinionated selection
++ - audit_rules_file_deletion_events_rmdir
+
+ ### 4.1.15 Ensure kernel module loading and unloading is collected
+ ### (Scored)
+
+From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:16:33 +0200
+Subject: [PATCH 12/20] Audit kernel module loads
+
+Fixes: #5515
+---
+ rhel8/profiles/cis.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index ca42f24190..5e214941ec 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -655,7 +655,7 @@ selections:
+
+ ### 4.1.15 Ensure kernel module loading and unloading is collected
+ ### (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
++ - audit_rules_kernel_module_loading
+
+ ### 4.1.16 Ensure system administrator actions (sudolog) are
+ ### collected (Scored)
+
+From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:17:52 +0200
+Subject: [PATCH 13/20] Audit rules should be immutable
+
+Fixes: #5517
+---
+ rhel8/profiles/cis.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 5e214941ec..a0fdd69869 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -662,7 +662,7 @@ selections:
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
+
+ ### 4.1.17 Ensure the audit configuration is immutable (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
++ - audit_rules_immutable
+
+ ## 4.2 Configure Logging
+
+
+From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:31:10 +0200
+Subject: [PATCH 14/20] Select rules for password requirements
+
+Related to: #5533
+---
+ rhel8/profiles/cis.profile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index a0fdd69869..a55c3291a9 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -858,7 +858,12 @@ selections:
+ ## 5.4 Configure PAM
+
+ ### 5.4.1 Ensure password creation requirements are configured (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
++ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
++ - accounts_password_pam_retry
++ - var_password_pam_minlen=14
++ - accounts_password_pam_minlen
++ - var_password_pam_minclass=4
++ - accounts_password_pam_minclass
+
+ ### 5.4.2 Ensure lockout for failed password attempts is
+ ### configured (Scored)
+
+From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:35:50 +0200
+Subject: [PATCH 15/20] Configure password lockout
+
+Fixes: #5534
+---
+ rhel8/profiles/cis.profile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index a55c3291a9..6e10c2efcb 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -867,7 +867,10 @@ selections:
+
+ ### 5.4.2 Ensure lockout for failed password attempts is
+ ### configured (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
++ - var_accounts_passwords_pam_faillock_unlock_time=900
++ - var_accounts_passwords_pam_faillock_deny=5
++ - accounts_passwords_pam_faillock_unlock_time
++ - accounts_passwords_pam_faillock_deny
+
+ ### 5.4.3 Ensure password reuse is limited (Scored)
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
+
+From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:38:58 +0200
+Subject: [PATCH 16/20] Configure password reuse
+
+Fixes: #5535
+---
+ rhel8/profiles/cis.profile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 6e10c2efcb..2fa85d8676 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -873,7 +873,8 @@ selections:
+ - accounts_passwords_pam_faillock_deny
+
+ ### 5.4.3 Ensure password reuse is limited (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
++ - var_password_pam_unix_remember=5
++ - accounts_password_pam_unix_remember
+
+ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
+ - set_password_hashing_algorithm_systemauth
+
+From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:43:04 +0200
+Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting
+
+Related to: #5536
+---
+ rhel8/profiles/cis.profile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 2fa85d8676..e0fd5e1492 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -898,7 +898,10 @@ selections:
+ - accounts_password_warn_age_login_defs
+
+ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
++ # TODO: Rule doesn't check list of users
++ # https://github.com/ComplianceAsCode/content/issues/5536
++ - var_account_disable_post_pw_expiration=30
++ - account_disable_post_pw_expiration
+
+ #### 5.5.1.5 Ensure all users last password change date is
+ #### in the past (Scored)
+
+From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:46:48 +0200
+Subject: [PATCH 18/20] No shelllogin for system accounts
+
+Fixes: #5538
+---
+ rhel8/profiles/cis.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index e0fd5e1492..0431fb0d45 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -908,7 +908,7 @@ selections:
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
+
+ ### 5.5.2 Ensure system accounts are secured (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
++ - no_shelllogin_for_systemaccounts
+
+ ### 5.5.3 Ensure default user shell timeout is 900 seconds
+ ### or less (Scored)
+
+From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 23:54:07 +0200
+Subject: [PATCH 19/20] Partially cover umask requirements
+
+Related to: #5540
+---
+ rhel8/profiles/cis.profile | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
+index 0431fb0d45..f332ee5462 100644
+--- a/rhel8/profiles/cis.profile
++++ b/rhel8/profiles/cis.profile
+@@ -920,7 +920,9 @@ selections:
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
+
+ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
+- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
++ - var_accounts_user_umask=027
++ - accounts_umask_etc_bashrc
++ - accounts_umask_etc_profile
+
+ ## 5.6 Ensure root login is restricted to system console (Not Scored)
+ - securetty_root_login_console_only
+
+From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 May 2020 22:31:16 +0200
+Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and
+ OCIL
+
+---
+ .../account_unique_name/rule.yml | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+index 35652a410b..909f1b6657 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+@@ -3,14 +3,13 @@ documentation_complete: true
+ title: 'Ensure All Accounts on the System Have Unique Names'
+
+ description: |-
+- Although the <tt>useradd</tt> utility prevents creation of duplicate user
+- names, it is possible for a malicious administrator to manually edit the
+- <tt>/etc/passwd</tt> file and change the user name.
++ Ensure accounts on the system have unique names.
+
+-rationale: |-
+- If a user is assigned a duplicate user name, the new user will be able to
+- create and have access to files with the first UID for that username as
+- defined in <tt>/etc/passwd</tt>.
++ To ensure all accounts have unique names, run the following command:
++ <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre>
++ If a username is returned, change or delete the username.
++
++rationale: 'Unique usernames allow for accountability on the system.'
+
+ severity: medium
+
+@@ -30,6 +29,6 @@ references:
+ ocil_clause: 'a line is returned'
+
+ ocil: |-
+- Run the following command to check for duplicate account names:
+- <pre>$ sudo pwck -qr</pre>
+- If there are no duplicate names, no line will be returned.
++ To verify all accounts have unique names, run the following command:
++ <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre>
++ No output should be returned.
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 2eb0e31..adabcf5 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
-Version: 0.1.49
-Release: 1%{?dist}
+Version: 0.1.50
+Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -8,6 +8,18 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
+Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
+Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
+Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
+Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
+Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
+# Patch6 already contains typo fix
+Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
+Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
+Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
+Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
+Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
+Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
@@ -42,6 +54,17 @@ present in %{name} package.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
mkdir build
%build
@@ -76,6 +99,32 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
+- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
+
+* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
+- CIS Ansible fixes (RHBZ#1760734)
+- HIPAA Ansible fixes (RHBZ#1832760)
+
+* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
+ - HIPAA Profile (RHBZ#1832760)
+ - Enable build of RHEL8 HIPAA Profile
+ - Add kickstarts for HIPAA
+- CIS Profile (RHBZ#1760734)
+ - Add Ansible fix for sshd_set_max_sessions
+ - Add CIS Profile content attribution to Center for Internet Security
+
+* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Fix Ansible for no_direct_root_logins
+- Fix Ansible template for SELinux booleans
+- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
+
+* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
+- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
+
+* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
+- Update to the latest upstream release (RHBZ#1815007)
+
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)