import scap-security-guide-0.1.69-3.el9_3

10 months ago · 4c0eef54db
parent bac9bbb61b
commit 4c0eef54db
11 changed files with 19403 additions and 11 deletions
--- a/SOURCES/scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
+++ b/SOURCES/scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
@ -0,0 +1,91 @@
 From d98cffdc7ebd3c266e71ead933d401188ef0d66a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:05:37 +0100
 Subject: [PATCH 07/14] Add rule `package_s-nail-installed`
 Patch-name: scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
 Patch-status: Add rule `package_s-nail-installed`
 ---
 components/s-nail.yml                         |  5 +++
 .../srg_gpos/SRG-OS-000363-GPOS-00150.yml     |  1 +
 .../mail/package_s-nail_installed/rule.yml    | 33 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  1 -
 4 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 components/s-nail.yml
 create mode 100644 linux_os/guide/services/mail/package_s-nail_installed/rule.yml
 diff --git a/components/s-nail.yml b/components/s-nail.yml
 new file mode 100644
 index 0000000000..d93f8c52dc
 --- /dev/null
 +++ b/components/s-nail.yml
@@ -0,0 +1,5 @@
 +name: s-nail
 +packages:
 +- s-nail
 +rules:
 +- package_s-nail_installed
 diff --git a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
 index 3ffba82f03..05a10a2304 100644
 --- a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
 +++ b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
@@ -7,4 +7,5 @@ controls:
         rules:
             - aide_periodic_cron_checking
             - package_aide_installed
 +            - package_s-nail_installed
         status: automated
 diff --git a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
 new file mode 100644
 index 0000000000..e14fbc9f35
 --- /dev/null
 +++ b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
@@ -0,0 +1,33 @@
 +documentation_complete: true
 +
 +prodtype: rhel9
 +
 +title: 'The s-nail Package Is Installed'
 +
 +description: |-
 +    A mail server is required for sending emails.
 +    {{{ describe_package_install(package="s-nail") }}}
 +
 +rationale: |-
 +    Emails can be used to notify designated personnel about important
 +    system events such as failures or warnings.
 +
 +severity: medium
 +
 +identifiers:
 +    cce@rhel9: CCE-86608-7
 +
 +references:
 +    disa: CCI-001744
 +    nist: CM-3(5)
 +    srg: SRG-OS-000363-GPOS-00150
 +
 +ocil_clause: 'the package is not installed'
 +
 +ocil: '{{{ ocil_package(package="s-nail") }}}'
 +
 +template:
 +    name: package_installed
 +    vars:
 +        pkgname: s-nail
 +
 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
 index ef6afd3fbe..538d9d488d 100644
 --- a/shared/references/cce-redhat-avail.txt
 +++ b/shared/references/cce-redhat-avail.txt
@@ -315,7 +315,6 @@ CCE-86604-6
 CCE-86605-3
 CCE-86606-1
 CCE-86607-9
 -CCE-86608-7
 CCE-86609-5
 CCE-86610-3
 CCE-86612-9
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
+++ b/SOURCES/scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
@ -0,0 +1,263 @@
 From 09b4ceaba513e23ee933349f8a89b9c9b7dc1c26 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Wed, 6 Dec 2023 10:02:00 +0100
 Subject: [PATCH 14/14] Add variable support to `auditd_name_format` rule
 Patch-name: scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
 Patch-status: Add variable support to `auditd_name_format` rule
 ---
 controls/srg_gpos.yml                         |   1 +
 .../auditd_name_format/ansible/shared.yml     |   7 +-
 .../auditd_name_format/bash/shared.sh         |   7 +-
 .../auditd_name_format/oval/shared.xml        |  49 ++++-
 .../auditd_name_format/rule.yml               |  23 ++-
 .../var_auditd_flush.var                      |   2 +-
 .../var_auditd_name_format.var                |  18 ++
 products/rhel7/profiles/stig.profile          |   1 +
 products/rhel8/profiles/stig.profile          |   1 +
 .../data/profile_stability/rhel8/stig.profile |   1 +
 .../profile_stability/rhel8/stig_gui.profile  |   1 +
 15 files changed, 289 insertions(+), 24 deletions(-)
 create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
 diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
 index 1be70cf332..45fe8635c0 100644
 --- a/controls/srg_gpos.yml
 +++ b/controls/srg_gpos.yml
@@ -29,3 +29,4 @@ controls:
             - var_auditd_space_left_action=email
             - login_banner_text=dod_banners
             - var_authselect_profile=sssd
 +            - var_auditd_name_format=stig
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
 index c933228357..015e9d6eff 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/ansible/shared.yml
@@ -10,9 +10,14 @@
   {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
 {{%- endif %}}
 +{{{ ansible_instantiate_variables("var_auditd_name_format") }}}
 +
 +- name: "{{{ rule_title }}} - Define Value to Be Used in the Remediation"
 +  ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0] }}"
 +
 {{{ ansible_set_config_file(file=auditd_conf_path,
                   parameter="name_format",
 -                  value="hostname",
 +                  value="{{ auditd_name_format_split }}",
                   create=true,
                   separator=" = ",
                   separator_regex="\s*=\s*",
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
 index 67a1203dd5..a08fddc901 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/bash/shared.sh
@@ -10,9 +10,14 @@
   {{%- set auditd_conf_path=audisp_conf_path + "/auditd.conf" %}}
 {{%- endif %}}
 +
 +{{{ bash_instantiate_variables("var_auditd_name_format") }}}
 +
 +var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)"
 +
 {{{set_config_file(path=auditd_conf_path,
                   parameter="name_format",
 -                  value="hostname",
 +                  value="$var_auditd_name_format",
                   create=true,
                   insensitive=true,
                   separator=" = ",
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
 index 1bb86958fa..a98a46773b 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/oval/shared.xml
@@ -3,10 +3,47 @@
 {{% else %}}
 {{% set audisp_conf_file = "/auditd.conf" %}}
 {{% endif %}}
 +<def-group>
 +  <definition class="compliance" id="auditd_name_format" version="1">
 +    <metadata>
 +    <title>Set type of computer node name logging in audit logs</title>
 +    <affected family="unix">
 +    <platform>multi_platform_all</platform>
 +    </affected>
 +        <description>Ensure 'name_format' is configured with value 'hostname|fdq|numeric' in {{{ audisp_conf_path + audisp_conf_file }}}</description>
 +    </metadata>
 +    <criteria comment="The respective application or service is configured correctly"
 +    operator="OR"><criterion comment="Check the name_format in {{{ audisp_conf_path + audisp_conf_file }}}"
 +  test_ref="test_auditd_name_format" />
 +    </criteria>
 +  </definition>
 -{{{ oval_check_config_file(
 -    path=audisp_conf_path + audisp_conf_file,
 -    prefix_regex="^[ \\t]*(?i)",
 -    parameter="name_format",
 -    value="(?i)hostname(?-i)",
 -    separator_regex="(?-i)[ \\t]*=[ \\t]*") }}}
 +  <ind:textfilecontent54_test check="all" check_existence="all_exist"
 +    comment="tests the value of name_format setting in the {{{ audisp_conf_path + audisp_conf_file }}} file"
 +    id="test_auditd_name_format" version="1">
 +    <ind:object object_ref="obj_auditd_name_format" />
 +    <ind:state state_ref="state_auditd_name_format" />
 +  </ind:textfilecontent54_test>
 +
 +  <ind:textfilecontent54_object id="obj_auditd_name_format" version="1">
 +    <ind:filepath>{{{ audisp_conf_path + audisp_conf_file }}}</ind:filepath>
 +    <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
 +    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
 +  </ind:textfilecontent54_object>
 +
 +  <ind:textfilecontent54_state id="state_auditd_name_format" version="1">
 +    <ind:subexpression operation="pattern match" var_ref="var_auditd_name_format_regex" />
 +  </ind:textfilecontent54_state>
 +
 +  <local_variable datatype="string" id="var_auditd_name_format_regex" version="1"
 +  comment="Build regex to be case insensitive">
 +    <concat>
 +      <literal_component>(?i)</literal_component>
 +      <variable_component var_ref="var_auditd_name_format"/>
 +    </concat>
 +  </local_variable>
 +
 +  <external_variable comment="audit name_format setting" datatype="string"
 +  id="var_auditd_name_format" version="1" />
 +
 +</def-group>
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
 index 76a908f28f..4ee80e3d07 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -1,11 +1,11 @@
 documentation_complete: true
 -title: 'Set hostname as computer node name in audit logs'
 +title: 'Set type of computer node name logging in audit logs'
 description: |-
 -    To configure Audit daemon to use value returned by gethostname
 -    syscall as computer node name in the audit events,
 -    set <tt>name_format</tt> to <tt>hostname</tt>
 +    To configure Audit daemon to use a unique identifier
 +    as computer node name in the audit events,
 +    set <tt>name_format</tt> to <tt>{{{ xccdf_value("var_auditd_name_format") }}}</tt>
     in <tt>/etc/audit/auditd.conf</tt>.
 rationale: |-
@@ -32,17 +32,22 @@ references:
     stigid@rhel8: RHEL-08-030062
     stigid@rhel9: RHEL-09-653060
 -ocil_clause: name_format isn't set to hostname
 +ocil_clause: name_format isn't set to {{{ xccdf_value("var_auditd_name_format") }}}
 ocil: |-
 -    To verify that Audit Daemon is configured to record the hostname
 -    in audit events, run the following command:
 +    To verify that Audit Daemon is configured to record the computer node
 +    name in the audit events, run the following command:
     <pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>
     The output should return the following:
 -    <pre>name_format = hostname</pre>
 +    <pre>name_format = {{{ xccdf_value("var_auditd_name_format") }}}</pre>
 +
 +warnings:
 +    - general: |-
 +        Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example
 +        <pre>A|B|C</pre>, the first value will be used when remediating this rule.
 fixtext: |-
 -    {{{ fixtext_audit_configuration(param="name_format", value="hostname") | indent(4) }}}
 +    {{{ fixtext_audit_configuration(param="name_format", value=xccdf_value("var_auditd_name_format")) | indent(4) }}}
 srg_requirement: |-
     {{{ full_name }}} must label all off-loaded audit logs before sending them to the central log server.
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
 index 3ae67d484a..f7b0bc5b8f 100644
 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_flush.var
@@ -13,5 +13,5 @@ options:
     default: data
     incremental: incremental
     incremental_async: incremental_async
 -    none: none
 +    none: "none"
     sync: sync
 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
 new file mode 100644
 index 0000000000..75cc597038
 --- /dev/null
 +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_name_format.var
@@ -0,0 +1,18 @@
 +documentation_complete: true
 +
 +title: 'Type of hostname to record the audit event'
 +
 +description: 'Type of hostname to record the audit event'
 +
 +type: string
 +
 +interactive: false
 +
 +options:
 +    default: hostname
 +    hostname: hostname
 +    fqd: fqd
 +    numeric: numeric
 +    user: user
 +    none: "none"
 +    stig: hostname|fqd|numeric
 diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
 index 6483dfe3da..1e1e50765a 100644
 --- a/products/rhel7/profiles/stig.profile
 +++ b/products/rhel7/profiles/stig.profile
@@ -335,6 +335,7 @@ selections:
     - accounts_authorized_local_users
     - auditd_overflow_action
     - auditd_name_format
 +    - var_auditd_name_format=stig
     - sebool_ssh_sysadm_login
     - sudoers_default_includedir
     - package_aide_installed
 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
 index 0e136784a1..3914fae78f 100644
 --- a/products/rhel8/profiles/stig.profile
 +++ b/products/rhel8/profiles/stig.profile
@@ -707,6 +707,7 @@ selections:
     # RHEL-08-030062
     - auditd_name_format
 +    - var_auditd_name_format=stig
     # RHEL-08-030063
     - auditd_log_format
 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
 index 7aabec8694..60dc9d3a50 100644
 --- a/tests/data/profile_stability/rhel8/stig.profile
 +++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -473,6 +473,7 @@ selections:
 - var_auditd_disk_error_action=rhel8
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=rhel8
 +- var_auditd_name_format=stig
 - var_sssd_certificate_verification_digest_function=sha1
 - login_banner_text=dod_banners
 - var_authselect_profile=sssd
 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
 index bef1437536..b77c8eab2f 100644
 --- a/tests/data/profile_stability/rhel8/stig_gui.profile
 +++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -481,6 +481,7 @@ selections:
 - var_auditd_disk_error_action=rhel8
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=rhel8
 +- var_auditd_name_format=stig
 - var_sssd_certificate_verification_digest_function=sha1
 - login_banner_text=dod_banners
 - var_authselect_profile=sssd
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
+++ b/SOURCES/scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
@ -0,0 +1,104 @@
 From cfbc85e51f15d106dd3cf03ef2fc7cd4f3c5d251 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:05:37 +0100
 Subject: [PATCH 06/14] Update sshd_approved_ciphers value for RHEL in STIG
 profile
 Patch-name: scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
 Patch-status: Update sshd_approved_ciphers value for RHEL in STIG profile
 ---
 controls/srg_gpos.yml                               | 2 +-
 products/rhel8/profiles/stig.profile                | 2 +-
 tests/data/profile_stability/rhel8/stig.profile     | 6 +++---
 tests/data/profile_stability/rhel8/stig_gui.profile | 6 +++---
 4 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
 index 65d58d5291..1be70cf332 100644
 --- a/controls/srg_gpos.yml
 +++ b/controls/srg_gpos.yml
@@ -20,7 +20,7 @@ controls:
             - var_password_hashing_algorithm=SHA512
             - var_password_pam_dictcheck=1
             - sshd_approved_macs=stig_extended
 -            - sshd_approved_ciphers=stig
 +            - sshd_approved_ciphers=stig_extended
             - sshd_idle_timeout_value=10_minutes
             - var_accounts_authorized_local_users_regex=rhel8
             - var_account_disable_post_pw_expiration=35
 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
 index 5be8fb8127..0e136784a1 100644
 --- a/products/rhel8/profiles/stig.profile
 +++ b/products/rhel8/profiles/stig.profile
@@ -51,7 +51,7 @@ selections:
     - var_password_pam_minlen=15
     - var_sshd_set_keepalive=1
     - sshd_approved_macs=stig_extended
 -    - sshd_approved_ciphers=stig
 +    - sshd_approved_ciphers=stig_extended
     - sshd_idle_timeout_value=10_minutes
     - var_accounts_authorized_local_users_regex=rhel8
     - var_accounts_passwords_pam_faillock_deny=3
 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
 index 3fe7cdf4ea..7aabec8694 100644
 --- a/tests/data/profile_stability/rhel8/stig.profile
 +++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,6 +1,6 @@
 description: 'This profile contains configuration checks that align to the
 -    DISA STIG for Red Hat Enterprise Linux 8 V1R9.
 +    DISA STIG for Red Hat Enterprise Linux 8 V1R11.
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -22,7 +22,7 @@ description: 'This profile contains configuration checks that align to the
     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
 extends: null
 metadata:
 -    version: V1R10
 +    version: V1R11
     SMEs:
     - mab879
     - ggbecker
@@ -455,7 +455,7 @@ selections:
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=1
 - sshd_approved_macs=stig_extended
 -- sshd_approved_ciphers=stig
 +- sshd_approved_ciphers=stig_extended
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_authorized_local_users_regex=rhel8
 - var_accounts_passwords_pam_faillock_deny=3
 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
 index 66ada8588f..bef1437536 100644
 --- a/tests/data/profile_stability/rhel8/stig_gui.profile
 +++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -1,6 +1,6 @@
 description: 'This profile contains configuration checks that align to the
 -    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9.
 +    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -33,7 +33,7 @@ description: 'This profile contains configuration checks that align to the
     standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
 extends: null
 metadata:
 -    version: V1R10
 +    version: V1R11
     SMEs:
     - mab879
     - ggbecker
@@ -463,7 +463,7 @@ selections:
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=1
 - sshd_approved_macs=stig_extended
 -- sshd_approved_ciphers=stig
 +- sshd_approved_ciphers=stig_extended
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_authorized_local_users_regex=rhel8
 - var_accounts_passwords_pam_faillock_deny=3
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
+++ b/SOURCES/scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
@ -0,0 +1,212 @@
 From f0998f93828e756111294eb4c733fad77febd493 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Wed, 6 Dec 2023 10:31:53 +0100
 Subject: [PATCH 15/15] Update ssh stig HMACS and Ciphers allowed in OL8 STIG
 Patch-name: scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
 Patch-status: Update ssh stig HMACS and Ciphers allowed in OL8 STIG
 ---
 linux_os/guide/services/ssh/sshd_approved_ciphers.var        | 1 +
 .../tests/rhel8_stig_correct.pass.sh                         | 5 +++--
 .../tests/rhel8_stig_empty_policy.fail.sh                    | 2 +-
 .../tests/rhel8_stig_incorrect_policy.fail.sh                | 2 +-
 .../tests/rhel8_stig_missing_file.fail.sh                    | 2 +-
 .../harden_sshd_macs_openssh_conf_crypto_policy/rule.yml     | 4 ++--
 .../tests/stig_correct.pass.sh                               | 5 +++--
 .../tests/stig_correct_commented.fail.sh                     | 5 +++--
 .../stig_correct_followed_by_incorrect_commented.pass.sh     | 5 +++--
 .../stig_incorrect_followed_by_correct_commented.fail.sh     | 5 +++--
 .../rule.yml                                                 | 4 ++--
 products/ol8/profiles/stig.profile                           | 4 ++--
 12 files changed, 25 insertions(+), 19 deletions(-)
 diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
 index 65c3fde987..4ab4d36cef 100644
 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
 +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
@@ -12,6 +12,7 @@ interactive: false
 options:
     stig: aes256-ctr,aes192-ctr,aes128-ctr
 +    stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
     cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
     cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
 index c84e0c1576..34b69406a3 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 +
 +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 -sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
 index 66483e898a..60b4616ce5 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
 index e350ce5f0a..3eca150b3f 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
 index 11b194db03..f8659efcf0 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
 index 8736e39afc..547c31545e 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -12,7 +12,7 @@ description: |-
     To check that Crypto Policies settings are configured correctly, ensure that
     <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
     line and is not commented out:
 -    <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
 +    <tt>MACs {{{ xccdf_value("sshd_approved_macs") }}}</tt>
 rationale: |-
     Overriding the system crypto policy makes the behavior of the OpenSSH
@@ -38,7 +38,7 @@ ocil: |-
     To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
     <pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
     and verify that the line matches:
 -    <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
 +    <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
 warnings:
     - general: |-
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
 index 6edae50924..49d18486f3 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 +
 +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 -sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
 configfile=/etc/crypto-policies/back-ends/openssh.config
 # Ensure directory + file is there
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
 index 0fec46a5c3..b068e2ea4d 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 +
 +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 -sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
 configfile=/etc/crypto-policies/back-ends/openssh.config
 # Ensure directory + file is there
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
 index 95bf94331c..f57f422701 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 +
 +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 -sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
 configfile=/etc/crypto-policies/back-ends/openssh.config
 # Ensure directory + file is there
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
 index 4af43d60e7..999463e1c2 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 -# profiles = xccdf_org.ssgproject.content_profile_stig
 +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 +
 +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 -sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
 incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
 configfile=/etc/crypto-policies/back-ends/openssh.config
 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
 index f08f120f9a..a76cee71d8 100644
 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
 +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
@@ -12,7 +12,7 @@ description: |-
     To check that Crypto Policies settings are configured correctly, ensure that
     <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
     text and is not commented out:
 -    <tt>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</tt>
 +    <tt>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</tt>
 rationale: |-
     Overriding the system crypto policy makes the behavior of the OpenSSH
@@ -38,7 +38,7 @@ ocil: |-
     To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
     <pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
     and verify that the line matches:
 -    <pre>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</pre>
 +    <pre>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</pre>
 warnings:
     - general: |-
 diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
 index ae2795c4fb..2be62c59ca 100644
 --- a/products/ol8/profiles/stig.profile
 +++ b/products/ol8/profiles/stig.profile
@@ -38,8 +38,8 @@ selections:
     - var_password_pam_retry=3
     - var_password_pam_minlen=15
     - var_sshd_set_keepalive=0
 -    - sshd_approved_macs=stig
 -    - sshd_approved_ciphers=stig
 +    - sshd_approved_macs=stig_extended
 +    - sshd_approved_ciphers=stig_extended
     - sshd_idle_timeout_value=10_minutes
     - var_accounts_authorized_local_users_regex=ol8
     - var_accounts_passwords_pam_faillock_deny=3
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
@ -0,0 +1,158 @@
 From 1927922065ba7cab8e389d6b2e4ec014be491bed Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:05:37 +0100
 Subject: [PATCH 09/14] Add cron.deny Owership Rules
 Patch-name: scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
 Patch-status: Add cron.deny Owership Rules
 ---
 components/cronie.yml                         |  2 +
 .../srg_gpos/SRG-OS-000480-GPOS-00227.yml     |  2 +
 .../file_groupowner_cron_deny/rule.yml        | 39 ++++++++++++++++++
 .../cron_and_at/file_owner_cron_deny/rule.yml | 41 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  2 -
 5 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
 create mode 100644 linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
 diff --git a/components/cronie.yml b/components/cronie.yml
 index c11edb518e..b8bf7f264a 100644
 --- a/components/cronie.yml
 +++ b/components/cronie.yml
@@ -8,6 +8,8 @@ rules:
 - disable_anacron
 - file_at_deny_not_exist
 - file_cron_deny_not_exist
 +- file_owner_cron_deny
 +- file_groupowner_cron_deny
 - file_groupowner_at_allow
 - file_groupowner_cron_allow
 - file_groupowner_cron_d
 diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
 index be60a154c1..d78256777c 100644
 --- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
 +++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -64,6 +64,8 @@ controls:
             - file_permissions_ungroupowned
             - dir_perms_world_writable_root_owned
             - no_files_unowned_by_user
 +            - file_owner_cron_deny
 +            - file_groupowner_cron_deny
             # service disabled
             # - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
 new file mode 100644
 index 0000000000..7cacc3fc7b
 --- /dev/null
 +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
@@ -0,0 +1,39 @@
 +documentation_complete: true
 +
 +prodtype: rhel9
 +
 +title: 'Verify Group Who Owns cron.deny'
 +
 +description: |-
 +    {{{ describe_file_group_owner(file="/etc/cron.deny", group="root") }}}
 +
 +rationale: |-
 +    Service configuration files enable or disable features of their respective services that if configured incorrectly
 +    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
 +    correct group to prevent unauthorized changes.
 +
 +severity: medium
 +
 +identifiers:
 +    cce@rhel9: CCE-86537-8
 +
 +
 +references:
 +    disa: CCI-000366
 +    nist: CM-6 b
 +    srg: SRG-OS-000480-GPOS-00227
 +
 +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
 +
 +ocil: |-
 +    {{{ ocil_file_group_owner(file="/etc/cron.deny", group="root") }}}
 +
 +fixtext: '{{{ fixtext_file_group_owner(file="/etc/cron.deny/", group="root") }}}'
 +
 +srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/cron.deny", group="root") }}}'
 +
 +template:
 +    name: file_groupowner
 +    vars:
 +        filepath: /etc/cron.deny
 +        gid_or_name: '0'
 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
 new file mode 100644
 index 0000000000..4297313a74
 --- /dev/null
 +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
@@ -0,0 +1,41 @@
 +documentation_complete: true
 +
 +prodtype: rhel9
 +
 +title: 'Verify Owner on cron.deny'
 +
 +description: |-
 +    {{{ describe_file_owner(file="/etc/cron.deny", owner="root") }}}
 +
 +rationale: |-
 +    Service configuration files enable or disable features of their respective services that if configured incorrectly
 +    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
 +    correct user to prevent unauthorized changes.
 +
 +
 +severity: medium
 +
 +identifiers:
 +    cce@rhel9: CCE-86887-7
 +
 +references:
 +    disa: CCI-000366
 +    nist: CM-6 b
 +    srg: SRG-OS-000480-GPOS-00227
 +
 +
 +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'
 +
 +ocil: |-
 +    {{{ ocil_file_owner(file="/etc/cron.deny", owner="root") }}}
 +
 +fixtext: '{{{ fixtext_file_owner(file="/etc/cron.deny/", owner="root") }}}'
 +
 +srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/cron.deny", owner="root") }}}'
 +
 +template:
 +    name: file_owner
 +    vars:
 +        filepath: /etc/cron.deny
 +        fileuid: '0'
 +
 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
 index 60663b117a..8ae1e4186f 100644
 --- a/shared/references/cce-redhat-avail.txt
 +++ b/shared/references/cce-redhat-avail.txt
@@ -259,7 +259,6 @@ CCE-86528-7
 CCE-86530-3
 CCE-86535-2
 CCE-86536-0
 -CCE-86537-8
 CCE-86538-6
 CCE-86539-4
 CCE-86540-2
@@ -516,7 +515,6 @@ CCE-86880-2
 CCE-86881-0
 CCE-86882-8
 CCE-86886-9
 -CCE-86887-7
 CCE-86888-5
 CCE-86889-3
 CCE-86890-1
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
--- a/SOURCES/scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
+++ b/SOURCES/scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
@ -0,0 +1,26 @@
 From eb4cedf1097bb556134a03648a99c60b16fa4726 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:22:29 +0100
 Subject: [PATCH 12/14] Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
 Patch-name: scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
 Patch-status: Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
 ---
 .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml      | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
 index fef91a47df..3df07a5689 100644
 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
 +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
@@ -45,6 +45,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss: Req-7.1
     pcidss4: "2.2.6"
 +    srg: SRG-OS-000480-GPOS-00227
     stigid@rhel9: RHEL-09-212030
 ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}'
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
+++ b/SOURCES/scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
@ -0,0 +1,26 @@
 From 89c7d9f8e9837383047b036c9a42a9986590f307 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:22:29 +0100
 Subject: [PATCH 11/14] Add var_networkmanager_dns_mode to RHEL 9 STIG
 Patch-name: scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
 Patch-status: Add var_networkmanager_dns_mode to RHEL 9 STIG
 ---
 controls/stig_rhel9.yml | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
 index 0966ebb6fc..b576ba08c3 100644
 --- a/controls/stig_rhel9.yml
 +++ b/controls/stig_rhel9.yml
@@ -1516,6 +1516,7 @@ controls:
         title: RHEL 9 must configure a DNS processing mode set be Network Manager.
         rules:
             - networkmanager_dns_mode
 +            - var_networkmanager_dns_mode=none
         status: automated
     -   id: RHEL-09-252045
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
+++ b/SOURCES/scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
@ -0,0 +1,294 @@
 From 6f11431ae6ff21170b11e6777141cbe33a8ffe42 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:05:37 +0100
 Subject: [PATCH 08/14] New Rule networkmanager_dns_mode
 Patch-name: scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
 Patch-status: New Rule networkmanager_dns_mode
 ---
 components/networkmanager.yml                 |  5 +++
 .../srg_gpos/SRG-OS-000480-GPOS-00227.yml     |  4 +++
 .../system/network/networkmanager/group.yml   |  7 ++++
 .../ansible/shared.yml                        | 14 ++++++++
 .../networkmanager_dns_mode/bash/shared.sh    | 11 ++++++
 .../networkmanager_dns_mode/oval/shared.xml   | 12 +++++++
 .../policy/stig/shared.yml                    | 15 ++++++++
 .../networkmanager_dns_mode/rule.yml          | 34 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  8 +++++
 .../tests/correct_default.pass.sh             |  8 +++++
 .../tests/missing.fail.sh                     |  4 +++
 .../tests/wrong_value.fail.sh                 |  8 +++++
 .../var_networkmanager_dns_mode.var           | 19 +++++++++++
 shared/applicability/package.yml              |  2 ++
 shared/references/cce-redhat-avail.txt        |  1 -
 15 files changed, 151 insertions(+), 1 deletion(-)
 create mode 100644 components/networkmanager.yml
 create mode 100644 linux_os/guide/system/network/networkmanager/group.yml
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
 create mode 100644 linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
 create mode 100644 linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
 diff --git a/components/networkmanager.yml b/components/networkmanager.yml
 new file mode 100644
 index 0000000000..75d54b9490
 --- /dev/null
 +++ b/components/networkmanager.yml
@@ -0,0 +1,5 @@
 +name: NetworkManager
 +packages:
 +- NetworkManager
 +rules:
 +- networkmanager_dns_mode
 diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
 index 1aceb0b187..be60a154c1 100644
 --- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
 +++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -225,6 +225,10 @@ controls:
             - set_firewalld_default_zone
             - firewalld_sshd_port_enabled
 +            # NetworkManger
 +            - networkmanager_dns_mode
 +            - var_networkmanager_dns_mode=none
 +
             # misc
             - enable_authselect
             - no_host_based_files
 diff --git a/linux_os/guide/system/network/networkmanager/group.yml b/linux_os/guide/system/network/networkmanager/group.yml
 new file mode 100644
 index 0000000000..4abf48ed96
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/group.yml
@@ -0,0 +1,7 @@
 +documentation_complete: true
 +
 +title: 'Network Manager'
 +
 +description: |-
 +    The NetworkManager daemon configures a variety of network connections.
 +    This section discusses how to configure NetworkManager.
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
 new file mode 100644
 index 0000000000..b416038bd9
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/ansible/shared.yml
@@ -0,0 +1,14 @@
 +# platform = multi_platform_all
 +# reboot = false
 +# strategy = configure
 +# complexity = low
 +# disruption = low
 +
 +{{{ ansible_instantiate_variables("var_networkmanager_dns_mode") }}}
 +
 +{{{ ansible_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "{{ var_networkmanager_dns_mode }}") }}}
 +
 +- name: "{{{ rule_title }}} - Ensure Network Manager"
 +  ansible.builtin.systemd:
 +      name: NetworkManager
 +      state: reloaded
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
 new file mode 100644
 index 0000000000..88491d288d
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/bash/shared.sh
@@ -0,0 +1,11 @@
 +# platform = multi_platform_all
 +# reboot = false
 +# strategy = configure
 +# complexity = low
 +# disruption = medium
 +
 +{{{ bash_instantiate_variables("var_networkmanager_dns_mode") }}}
 +
 +{{{ bash_ini_file_set("/etc/NetworkManager/NetworkManager.conf", "main", "dns", "$var_networkmanager_dns_mode") }}}
 +
 +systemctl reload NetworkManager
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
 new file mode 100644
 index 0000000000..cb07c9a9ed
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/oval/shared.xml
@@ -0,0 +1,12 @@
 +{{{
 +oval_check_ini_file(
 +    path="/etc/NetworkManager/NetworkManager.conf",
 +    section="main",
 +    parameter="dns",
 +    value="default|none",
 +    missing_parameter_pass=false,
 +    application="NetworkManager",
 +    multi_value=false,
 +    missing_config_file_fail=true
 +)
 +}}}
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
 new file mode 100644
 index 0000000000..b644587b41
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/policy/stig/shared.yml
@@ -0,0 +1,15 @@
 +checktext: |-
 +    [main]
 +    dns=none
 +
 +    If the dns key under main does not exist or is not set to "none" or "default", this is a finding.
 +
 +fixtext: |-
 +    Configure NetworkManager in RHEL 9 to use a DNS mode.
 +
 +    In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section:
 +
 +    dns = none
 +
 +srg_requirement: |-
 +    {{ full_name }} must configure a DNS processing mode set be Network Manager.
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
 new file mode 100644
 index 0000000000..8b703cb2f1
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/rule.yml
@@ -0,0 +1,34 @@
 +documentation_complete: true
 +
 +prodtype: rhel9
 +
 +title: 'NetworkManager DNS Mode Must Be Must Configured'
 +
 +description:
 +    The DNS processing mode in NetworkManager describes how DNS is processed on the system.
 +    Depending the mode some changes the system's DNS may not be respected.
 +
 +rationale:
 +    To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
 +
 +severity: medium
 +
 +identifiers:
 +    cce@rhel9: CCE-86805-9
 +
 +references:
 +    disa: CCI-000366
 +    nist: CM-6(b)
 +    srg: SRG-OS-000480-GPOS-00227
 +
 +ocil_clause: 'the dns key under main does not exist or is not set to "none" or "default"'
 +
 +
 +ocil: |-
 +    Verify that {{{ full_name }}} has a DNS mode configured in Network Manager.
 +
 +    $ NetworkManager --print-config
 +    [main]
 +    dns={{{ xccdf_value("var_networkmanager_dns_mode") }}}
 +
 +platform: package[NetworkManager]
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
 new file mode 100644
 index 0000000000..7af3e14fc3
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct.pass.sh
@@ -0,0 +1,8 @@
 +#!/bin/bash
 +# variables = var_networkmanager_dns_mode = none
 +# packages = NetworkManager
 +
 +cat > /etc/NetworkManager/NetworkManager.conf << EOM
 +[main]
 +dns=none
 +EOM
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
 new file mode 100644
 index 0000000000..a19040e2d5
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/correct_default.pass.sh
@@ -0,0 +1,8 @@
 +#!/bin/bash
 +# variables = var_networkmanager_dns_mode = default
 +# packages = NetworkManager
 +
 +cat > /etc/NetworkManager/NetworkManager.conf << EOM
 +[main]
 +dns=default
 +EOM
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
 new file mode 100644
 index 0000000000..b81d82c807
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/missing.fail.sh
@@ -0,0 +1,4 @@
 +#!/bin/bash
 +# variables = var_networkmanager_dns_mode = default
 +
 +sed '/^dns=.*$/d' /etc/NetworkManager/NetworkManager.conf
 diff --git a/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
 new file mode 100644
 index 0000000000..6de904b372
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/networkmanager_dns_mode/tests/wrong_value.fail.sh
@@ -0,0 +1,8 @@
 +#!/bin/bash
 +# variables = var_networkmanager_dns_mode = default
 +# packages = NetworkManager
 +
 +cat > /etc/NetworkManager/NetworkManager.conf << EOM
 +[main]
 +dns=dnsmasq
 +EOM
 diff --git a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
 new file mode 100644
 index 0000000000..1be615dff9
 --- /dev/null
 +++ b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var
@@ -0,0 +1,19 @@
 +documentation_complete: true
 +
 +title: 'NetoworkManager DNS Mode'
 +
 +type: string
 +
 +description: |-
 +    This sets how NetworkManager handles DNS.
 +
 +    none -  NetworkManager will not modify resolv.conf.
 +    default - NetworkManager will update /etc/resolv.conf to reflect the nameservers provided by currently active connections.
 +
 +interactive: true
 +
 +operator: 'equals'
 +
 +options:
 +    none: none
 +    default: default
 diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
 index ee52a50f1f..4718c7cf71 100644
 --- a/shared/applicability/package.yml
 +++ b/shared/applicability/package.yml
@@ -87,3 +87,5 @@ args:
     pkgname: zypper
   openssh:
     pkgname: openssh
 +  networkmanager:
 +    pkgname: NetworkManager
 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
 index 538d9d488d..60663b117a 100644
 --- a/shared/references/cce-redhat-avail.txt
 +++ b/shared/references/cce-redhat-avail.txt
@@ -459,7 +459,6 @@ CCE-86799-4
 CCE-86802-6
 CCE-86803-4
 CCE-86804-2
 -CCE-86805-9
 CCE-86806-7
 CCE-86807-5
 CCE-86808-3
 -- 
 2.43.0
--- a/SOURCES/scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
+++ b/SOURCES/scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
@ -0,0 +1,67 @@
 From 9062da533315a871939f3c22d4154e1f4141d432 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 5 Dec 2023 16:22:30 +0100
 Subject: [PATCH 13/14] Minor modifications to RHEL STIG profiles
 Patch-name: scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
 Patch-status: Minor modifications to RHEL STIG profiles
 ---
 controls/stig_rhel9.yml                                         | 2 +-
 .../password_quality/passwd_system-auth_substack/rule.yml       | 1 -
 .../audit_rules_immutable_login_uids/rule.yml                   | 1 +
 .../auditing/policy_rules/audit_immutable_login_uids/rule.yml   | 2 --
 4 files changed, 2 insertions(+), 4 deletions(-)
 diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
 index b576ba08c3..73d9e9e1aa 100644
 --- a/controls/stig_rhel9.yml
 +++ b/controls/stig_rhel9.yml
@@ -4114,7 +4114,7 @@ controls:
             - medium
         title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
         rules:
 -            - audit_immutable_login_uids
 +            - audit_rules_immutable_login_uids
         status: automated
     -   id: RHEL-09-654275
 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
 index 89b82af3f2..55d3e47a54 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml
@@ -19,7 +19,6 @@ references:
     nist: IA-5(1)(a),IA-5(1).1(v),IA-5(1)(a)
     srg: SRG-OS-000069-GPOS-00037
     stigid@ol7: OL07-00-010118
 -    stigid@rhel7: RHEL-07-010118
 ocil_clause: '/etc/pam.d/passwd does not implement /etc/pam.d/system-auth'
 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
 index 46e249efbb..6a8ea53fc5 100644
 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
 +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml
@@ -33,6 +33,7 @@ references:
     disa: CCI-000162,CCI-000163,CCI-000164
     srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
     stigid@rhel8: RHEL-08-030122
 +    stigid@rhel9: RHEL-09-654270
 ocil_clause: 'the system is not configured to make login UIDs immutable'
 diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
 index 9f2f7dbc11..dbf1015a19 100644
 --- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
 +++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -35,8 +35,6 @@ references:
     ospp: FAU_GEN.1.2
     srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
     stigid@ol8: OL08-00-030122
 -    stigid@rhel8: RHEL-08-030122
 -    stigid@rhel9: RHEL-09-654270
 ocil_clause: 'the file does not exist or the content differs'
 -- 
 2.43.0
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -6,7 +6,7 @@
 Name:		scap-security-guide
 Version:	0.1.69
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -18,6 +18,26 @@ Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
 Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
 # remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
 Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
 # Update sshd_approved_ciphers value for RHEL in STIG profile
 Patch5:	 scap-security-guide-0.1.70-sshd_approved_ciphers_stig-PR_10966.patch
 # Add rule `package_s-nail-installed`
 Patch6:	 scap-security-guide-0.1.70-add_package_smail_installed-PR_11144.patch
 # New Rule networkmanager_dns_mode
 Patch7:	 scap-security-guide-0.1.71-new_rule_dns_mode_nm-PR_11160.patch
 # Add cron.deny Owership Rules
 Patch8:	 scap-security-guide-0.1.71-add_cron_deny_rules-PR_11185.patch
 # Add RHEL 9 STIG
 Patch9:	 scap-security-guide-0.1.71-add_rhel9_stig-PR_11193.patch
 # Add var_networkmanager_dns_mode to RHEL 9 STIG
 Patch10:	scap-security-guide-0.1.71-fix_var_networkmanager_dns_mode_rhel9_stig-PR_11242.patch
 # Add SRG id to `file_owner_grub2_cfg` for RHEL 9 STIG
 Patch11:	scap-security-guide-0.1.71-add_srg_to_file_owner_grub2_cfg-PR_11261.patch
 # Minor modifications to RHEL STIG profiles
 Patch12:	scap-security-guide-0.1.72-remove_stig_ids-PR_11327.patch
 # Add variable support to `auditd_name_format` rule
 Patch13:	scap-security-guide-0.1.70-name_format_variable-PR_11019.patch
 # Update ssh stig HMACS and Ciphers allowed in OL8 STIG
 Patch14:	scap-security-guide-0.1.70-update_ssh_stig_algos-PR_10920.patch
 BuildArch:	noarch
 BuildRequires:	libxslt
@ -105,17 +125,24 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 %changelog
 * Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
 - Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)
 * Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2228447)
+- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
- Fix ANSSI High profile with secure boot (RHBZ#2228447)
+- Fix ANSSI High profile with secure boot (RHBZ#2221697)
-
+
-* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
+* Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2228447)
+- Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
- Fixed excess quotes in journald configuration files (RHBZ#2228439)
+- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
- Change rules checking password age to apply only to local users (RHBZ#2228467)
+- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2228431)
+- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
- Correct URL used to download CVE checks. (RHBZ#2228469)
+- Correct URL used to download CVE checks. (RHBZ#2223178)
- Change rules checking home directories to apply only to local users (RHBZ#2228462)
+- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
 - Fixed excess quotes in journald configuration files (RHBZ#2193169)
 - Change rules checking home directories to apply only to local users (RHBZ#2203791)
 - Change rules checking password age to apply only to local users (RHBZ#2213958)
 - Updated man page (RHBZ#2060028)
 * Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
 - Rebase to a new upstream release 0.1.66 (RHBZ#2169443)