import scap-security-guide-0.1.63-5.el9

2 years ago · d4e70e3a15
commit d4e70e3a15
12 changed files with 5924 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/scap-security-guide-0.1.63.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -0,0 +1 @@
+b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
--- a/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
+++ b/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
--- a/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
+++ b/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
@ -0,0 +1,90 @@
+From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:15 +0200
+Subject: [PATCH 1/4] fix ospp references
+
+---
+ linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
+index c151d3c4aa1..f9b46c51ddd 100644
+--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
+@@ -34,6 +34,7 @@ references:
+     disa: CCI-000213
+     hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)  # taken from require_singleuser_auth
+     nist: AC-3
+    ospp: FIA_UAU.1,FIA_AFL.1
+     srg: SRG-OS-000480-GPOS-00227
+ 
+ ocil: |-
+
+From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:42 +0200
+Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index b47630c62b0..dcc41970043 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -115,7 +115,7 @@ selections:
+     - coredump_disable_storage
+     - coredump_disable_backtraces
+     - service_systemd-coredump_disabled
+-    - var_authselect_profile=sssd
+    - var_authselect_profile=minimal
+     - enable_authselect
+     - use_pam_wheel_for_su
+ 
+
+From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 11:45:54 +0200
+Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
+
+---
+ products/rhel8/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
+index 39ad1797c7a..ebec8a3a6f9 100644
+--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
+@@ -220,7 +220,7 @@ selections:
+     - var_accounts_max_concurrent_login_sessions=10
+     - accounts_max_concurrent_login_sessions
+     - securetty_root_login_console_only
+-    - var_authselect_profile=sssd
+    - var_authselect_profile=minimal
+     - enable_authselect
+     - var_password_pam_unix_remember=5
+     - accounts_password_pam_unix_remember
+
+From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 13:55:05 +0200
+Subject: [PATCH 4/4] update profile stability test
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 5d73a8c6fef..21e93e310d5 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -242,7 +242,7 @@ selections:
+ - var_slub_debug_options=P
+ - var_auditd_flush=incremental_async
+ - var_accounts_max_concurrent_login_sessions=10
+-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
+ - var_password_pam_unix_remember=5
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
--- a/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
+++ b/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
@ -0,0 +1,302 @@
+From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 27 Jul 2022 13:49:05 +0200
+Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
+
+---
+ products/rhel9/profiles/ospp.profile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index dcc41970043..0902abf58db 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,10 +110,7 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - disable_users_coredumps
+     - sysctl_kernel_core_pattern
+-    - coredump_disable_storage
+-    - coredump_disable_backtraces
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+     - enable_authselect
+
+From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 12:17:27 +0200
+Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
+
+actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
+I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
+---
+ shared/templates/sysctl/oval.template | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 1a7c4979bbe..e0c6f72f928 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -17,13 +17,8 @@
+ {{% endif %}}
+ {{%- endmacro -%}}
+ {{%- macro sysctl_match() -%}}
+-{{%- if SYSCTLVAL == "" -%}}
+-    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
+-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-{{%- else -%}}
+     <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+-{{%- endif -%}}
+ {{%- endmacro -%}}
+ {{%- if "P" in FLAGS -%}}
+ 
+
+From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 13:00:45 +0200
+Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
+
+---
+ .../sysctl_kernel_core_uses_pid/rule.yml      | 36 +++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+new file mode 100644
+index 00000000000..7fa36fb940e
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+    The default coredump filename is <pre>core</pre>. By setting
+    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+    <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86003-1
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_uses_pid
+        datatype: int
+        sysctlval: '0'
+
+From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 09:08:37 +0200
+Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
+
+---
+ .../rule.yml                                  | 49 +++++++++++++++++++
+ 2 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+new file mode 100644
+index 00000000000..089bb1481aa
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+    The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+    name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+    behaves differently based on another related option. If
+    <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+    <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+    created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+    <tt>0</tt>, no coredump is saved.
+    {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data and is generally useful
+    only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+    - sysctl_kernel_core_uses_pid
+
+conflicts:
+    - sysctl_kernel_core_pattern
+
+identifiers:
+    cce@rhel9: CCE-86005-6
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+    the returned line does not have a value of ''.
+
+ocil: |
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_pattern
+        sysctlval: "''"
+        datatype: string
+
+From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 10:40:47 +0200
+Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
+
+---
+ products/rhel9/profiles/ospp.profile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 0902abf58db..b1b18261d48 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,7 +110,8 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - sysctl_kernel_core_pattern
+    - sysctl_kernel_core_pattern_empty_string
+    - sysctl_kernel_core_uses_pid
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+     - enable_authselect
+
+From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Aug 2022 13:01:12 +0200
+Subject: [PATCH 6/8] describe beneficial dependency between
+ sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
+
+---
+ .../sysctl_kernel_core_uses_pid/rule.yml            | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+index 7fa36fb940e..d6d2c468c10 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
+ description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+ 
+ rationale: |-
+-    The default coredump filename is <pre>core</pre>. By setting
+-    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+-    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+-    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+-    <pre>.PID</pre> will be appended to the filename.
+    The default coredump filename is <tt>core</tt>. By setting
+    <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+    <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+    <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+    <tt>.PID</tt> will be appended to the filename.
+    When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+    is ensured that no core dumps are generated and also no confusing error
+    messages are printed by a shell.
+ 
+ severity: medium
+ 
+
+From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Fri, 5 Aug 2022 10:53:37 +0200
+Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
+ sysctl_kernel_core_pattern_empty_string
+
+they are modifying the same configuration
+---
+ .../restrictions/sysctl_kernel_core_pattern/rule.yml           | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+index 771c4d40e0f..c27a9e7ecf3 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+@@ -13,6 +13,9 @@ rationale: |-
+ 
+ severity: medium
+ 
+conflicts:
+    - sysctl_kernel_core_pattern_empty_string
+
+ identifiers:
+     cce@rhcos4: CCE-82527-3
+     cce@rhel8: CCE-82215-5
+
+From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 9 Aug 2022 16:43:20 +0200
+Subject: [PATCH 8/8] fix ocils
+
+---
+ .../restrictions/sysctl_kernel_core_pattern/rule.yml         | 5 ++++-
+ .../restrictions/sysctl_kernel_core_uses_pid/rule.yml        | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+index c27a9e7ecf3..1a540ce20b3 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+@@ -29,7 +29,10 @@ references:
+     stigid@ol8: OL08-00-010671
+     stigid@rhel8: RHEL-08-010671
+ 
+-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause:  |-
+    the returned line does not have a value of "|/bin/false", or a line is not
+    returned and the need for core dumps is not documented with the Information
+    System Security Officer (ISSO) as an operational requirement
+ 
+ ocil: |
+     {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+index d6d2c468c10..8f51f97c16c 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+@@ -24,10 +24,10 @@ identifiers:
+ references:
+     ospp: FMT_SMF_EXT.1
+ 
+-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
+ 
+ ocil: |-
+-    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
+ 
+ platform: machine
+ 
--- a/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
@ -0,0 +1,826 @@
+From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 18 Aug 2022 13:06:49 +0200
+Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
+ content.
+
+---
+ .../ansible/shared.yml                        |  32 +++
+ .../bash/shared.sh                            |  60 +++++
+ .../oval/shared.xml                           | 221 ++++++++++++++++++
+ .../rule.yml                                  |  23 +-
+ .../tests/correct_value.pass.sh               |  10 +
+ .../tests/wrong_value.fail.sh                 |  10 +
+ .../tests/wrong_value_three_entries.fail.sh   |  11 +
+ .../tests/wrong_value_two_entries.fail.sh     |  10 +
+ products/rhel9/profiles/ospp.profile          |   2 +-
+ 9 files changed, 366 insertions(+), 13 deletions(-)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+new file mode 100644
+index 00000000000..a6e7bf54b56
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+- name: List /etc/sysctl.d/*.conf files
+  find:
+    paths:
+    - /etc/sysctl.d/
+    - /run/sysctl.d/
+    contains: ^[\s]*kernel.core_pattern.*$
+    patterns: '*.conf'
+    file_type: any
+  register: find_sysctl_d
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
+    files
+  replace:
+    path: '{{ item.path }}'
+    regexp: ^[\s]*kernel.core_pattern
+    replace: '#kernel.core_pattern'
+  loop: '{{ find_sysctl_d.files }}'
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
+  replace:
+    path: /etc/sysctl.conf
+    regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
+    replace: '#kernel.core_pattern'
+- name: Ensure sysctl kernel.core_pattern is set to empty
+  sysctl:
+    name: kernel.core_pattern
+    value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
+    state: present
+    reload: true
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+new file mode 100644
+index 00000000000..989987250bc
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+@@ -0,0 +1,60 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+      # comment out "kernel.core_pattern" matches to preserve user data
+      sed -i "s/^${escaped_entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
+#
+# Set runtime for kernel.core_pattern
+#
+/sbin/sysctl -q -n -w kernel.core_pattern=""
+
+#
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
+#	else, add "kernel.core_pattern =" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+    sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s=" "$stripped_key"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+    # \n is precaution for case where file ends without trailing newline
+
+    printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+new file mode 100644
+index 00000000000..39654259dcb
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+@@ -0,0 +1,221 @@
+
+
+<def-group>
+  <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
+    {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
+    <criteria operator="AND">
+      <extend_definition comment="kernel.core_pattern configuration setting check"
+                         definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
+      <extend_definition comment="kernel.core_pattern runtime setting check"
+                         definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
+    </criteria>
+  </definition>
+</def-group><def-group>
+  <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
+    {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
+    <criteria operator="AND">
+      <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+                 test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
+    </criteria>
+  </definition>
+
+  <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
+                    comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+                    check="all" check_existence="all_exist" state_operator="OR">
+    <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+    <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+  </unix:sysctl_test>
+
+  <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+    <unix:name>kernel.core_pattern</unix:name>
+  </unix:sysctl_object>
+
+
+  <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+
+    <unix:value datatype="string"
+                operation="equals"></unix:value>
+
+  </unix:sysctl_state>
+
+</def-group>
+<def-group>
+  <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
+    {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
+    <criteria operator="AND">
+      <criteria operator="OR">
+        <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
+                   test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
+        <!-- see sysctl.d(5) -->
+        <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
+                   test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
+        <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
+                   test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
+
+      </criteria>
+
+      <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
+                              check="all" check_existence="all_exist"
+                              comment="kernel.core_pattern static configuration" state_operator="OR">
+    <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
+    <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
+                          comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
+    <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+    <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
+                          comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
+    <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+    <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+  </ind:textfilecontent54_test>
+  <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
+  id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+    <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+    <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+  </ind:variable_test>
+
+  <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+    <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+    <ind:value operation="equals" datatype="int">1</ind:value>
+  </ind:variable_state>
+
+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
+    <count>
+      <unique>
+        <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
+      </unique>
+    </count>
+  </local_variable>
+
+  <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
+    <set>
+      <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
+      <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
+  </ind:textfilecontent54_state>
+
+  <!-- <no symlink handling> -->
+  <!-- We craft a variable with blank string to combine with the symlink paths found.
+       This ultimately avoids referencing a variable with "no values",
+       we reference a variable with a blank string -->
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
+    <unique>
+      <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
+    </unique>
+  </local_variable>
+
+  <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
+    <set>
+      <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
+      <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
+    </set>
+  </ind:variable_object>
+
+  <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
+    <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+  </ind:variable_object>
+
+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
+    <literal_component datatype="string"></literal_component>
+  </local_variable>
+
+  <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
+    <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+  </ind:variable_object>
+  <!-- </no symlink handling> -->
+
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
+    <unique>
+      <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
+    </unique>
+  </local_variable>
+
+  <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+       Workaround by querying for all conf files found -->
+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
+    <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
+    <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
+  </unix:symlink_object>
+
+  <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+       ^/etc/sysctl.conf$
+       ^/etc/sysctl.d/.*$
+       ^/run/sysctl.d/.*$
+       ^/usr/lib/sysctl.d/.*$ -->
+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
+    <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+  </unix:symlink_state>
+
+
+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
+    <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
+  </local_variable>
+
+  <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+       variable to have no value even when there are valid objects. -->
+  <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
+    <set>
+      <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+      <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+    <set>
+      <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
+      <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+    <set>
+      <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
+    <ind:filepath>/etc/sysctl.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+    <ind:path>/etc/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+    <ind:path>/run/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+
+    <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
+
+  </ind:textfilecontent54_state>
+
+</def-group>
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+index dc21f53c98c..2babb28e361 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+@@ -1,18 +1,18 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+prodtype: rhel9
+ 
+ title: 'Disable storing core dumps'
+ 
+ description: |-
+     The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+-    name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+    name. It can be set to an empty string. In this case, the kernel
+     behaves differently based on another related option. If
+     <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+     <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+     created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+     <tt>0</tt>, no coredump is saved.
+-    {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+    {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
+ 
+ rationale: |-
+     A core dump includes a memory image taken at the time the operating system
+@@ -30,17 +30,16 @@ conflicts:
+ identifiers:
+     cce@rhel9: CCE-86005-6
+ 
+references:
+    ospp: FMT_SMF_EXT.1
+
+ ocil_clause: |-
+-    the returned line does not have a value of ''.
+    the returned line does not have an empty string
+ 
+ ocil: |
+-    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+    The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
+    by running the following command:
+    <pre>$ sysctl kernel.core_pattern | cat -A</pre>
+    <code>kernel.core_pattern = $</code>
+ 
+ platform: machine
+-
+-template:
+-    name: sysctl
+-    vars:
+-        sysctlvar: kernel.core_pattern
+-        sysctlval: "''"
+-        datatype: string
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
+new file mode 100644
+index 00000000000..71f0f5db142
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
+new file mode 100644
+index 00000000000..1c5fabcc136
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
+new file mode 100644
+index 00000000000..e56e927ec56
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
+new file mode 100644
+index 00000000000..6c065b1e038
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 9fdd1354e38..b1b18261d48 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,7 +110,7 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - sysctl_kernel_core_pattern
+    - sysctl_kernel_core_pattern_empty_string
+     - sysctl_kernel_core_uses_pid
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+
+From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 11:13:04 +0200
+Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
+
+The new rule empty is applicable only to RHEL9 and if there would not be
+the restriction, then dangling references would be produced.
+---
+ .../restrictions/sysctl_kernel_core_pattern/rule.yml            | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+index 1a540ce20b3..e369854060b 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+@@ -13,8 +13,10 @@ rationale: |-
+ 
+ severity: medium
+ 
+{{% if product in ["rhel9"] %}}
+ conflicts:
+     - sysctl_kernel_core_pattern_empty_string
+{{% endif %}}
+ 
+ identifiers:
+     cce@rhcos4: CCE-82527-3
+
+From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 11:16:41 +0200
+Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
+ sysctl_kernel_core_pattern_empty_string.
+
+---
+ .../sysctl_kernel_core_pattern_empty_string/bash/shared.sh      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+index 989987250bc..9e84d41056d 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_all
+ # reboot = true
+ # strategy = disable
+ # complexity = low
+
+From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 11:23:04 +0200
+Subject: [PATCH 4/8] Address feedback.
+
+---
+ .../ansible/shared.yml                        |  3 +++
+ .../oval/shared.xml                           | 19 +++++--------------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+index a6e7bf54b56..22a8d99dae8 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+@@ -12,6 +12,7 @@
+     patterns: '*.conf'
+     file_type: any
+   register: find_sysctl_d
+
+ - name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
+     files
+   replace:
+@@ -19,11 +20,13 @@
+     regexp: ^[\s]*kernel.core_pattern
+     replace: '#kernel.core_pattern'
+   loop: '{{ find_sysctl_d.files }}'
+
+ - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
+   replace:
+     path: /etc/sysctl.conf
+     regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
+     replace: '#kernel.core_pattern'
+
+ - name: Ensure sysctl kernel.core_pattern is set to empty
+   sysctl:
+     name: kernel.core_pattern
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+index 39654259dcb..1c3bbfd9a3e 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+@@ -10,7 +10,9 @@
+                          definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
+     </criteria>
+   </definition>
+-</def-group><def-group>
+</def-group>
+
+<def-group>
+   <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
+     {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
+     <criteria operator="AND">
+@@ -23,21 +25,15 @@
+                     comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+                     check="all" check_existence="all_exist" state_operator="OR">
+     <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
+-
+     <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
+-
+   </unix:sysctl_test>
+ 
+   <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+     <unix:name>kernel.core_pattern</unix:name>
+   </unix:sysctl_object>
+ 
+-
+   <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+-
+-    <unix:value datatype="string"
+-                operation="equals"></unix:value>
+-
+    <unix:value datatype="string" operation="equals"></unix:value>
+   </unix:sysctl_state>
+ 
+ </def-group>
+@@ -53,18 +49,17 @@
+                    test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
+         <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
+                    test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
+-
+       </criteria>
+ 
+       <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+     </criteria>
+   </definition>
+
+   <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
+                               check="all" check_existence="all_exist"
+                               comment="kernel.core_pattern static configuration" state_operator="OR">
+     <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
+     <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+-
+   </ind:textfilecontent54_test>
+ 
+   <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
+@@ -165,7 +160,6 @@
+     <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+   </unix:symlink_state>
+ 
+-
+   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
+     <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
+   </local_variable>
+@@ -189,7 +183,6 @@
+   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+     <set>
+       <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+-
+     </set>
+   </ind:textfilecontent54_object>
+ 
+@@ -213,9 +206,7 @@
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+   <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+-
+     <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
+-
+   </ind:textfilecontent54_state>
+ 
+ </def-group>
+
+From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 14:46:15 +0200
+Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
+ def-group tags.
+
+---
+ tests/test_parse_affected.py | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
+index 8407794b972..947b56636c0 100755
+--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
+@@ -3,6 +3,7 @@
+ from __future__ import print_function
+ 
+ import os
+import re
+ import sys
+ 
+ import ssg.constants
+@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
+             if not xml_content:
+                 continue
+ 
+-            oval_contents = ssg.utils.split_string_content(xml_content)
+            # split multiple def group into a list so multiple definitions in one OVAL also work
+            # this findall does not preserv the <def-group> tag but it's not necessary for the
+            # purpose of the test
+            xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
+            for item in xml_content_list:
+                oval_contents = ssg.utils.split_string_content(item)
+ 
+-            try:
+-                results = ssg.oval.parse_affected(oval_contents)
+                try:
+                    results = ssg.oval.parse_affected(oval_contents)
+ 
+-                assert len(results) == 3
+-                assert isinstance(results[0], int)
+-                assert isinstance(results[1], int)
+                    assert len(results) == 3
+                    assert isinstance(results[0], int)
+                    assert isinstance(results[1], int)
+ 
+-            except ValueError as e:
+-                print("No <affected> element found in file {}. "
+-                      " Parsed XML was:\n{}".format(oval, xml_content))
+-                raise e
+                except ValueError as e:
+                    print("No <affected> element found in file {}. "
+                        " Parsed XML was:\n{}".format(oval, item))
+                    raise e
+ 
+ 
+ if __name__ == "__main__":
+
+From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 15:14:57 +0200
+Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
+ values.
+
+Comment out any offending line.
+---
+ .../ansible/shared.yml                                        | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+index 22a8d99dae8..f4dc5110fee 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+@@ -24,8 +24,8 @@
+ - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
+   replace:
+     path: /etc/sysctl.conf
+-    regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
+-    replace: '#kernel.core_pattern'
+    regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
+    replace: '#kernel.core_pattern\1'
+ 
+ - name: Ensure sysctl kernel.core_pattern is set to empty
+   sysctl:
+
+From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 15:20:41 +0200
+Subject: [PATCH 7/8] Fix PEP8 issue.
+
+---
+ tests/test_parse_affected.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
+index 947b56636c0..53690df5ce1 100755
+--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
+@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
+ 
+                 except ValueError as e:
+                     print("No <affected> element found in file {}. "
+-                        " Parsed XML was:\n{}".format(oval, item))
+                          " Parsed XML was:\n{}".format(oval, item))
+                     raise e
+ 
+ 
+
+From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 25 Aug 2022 16:31:31 +0200
+Subject: [PATCH 8/8] Add more test scenarios for
+ sysctl_kernel_core_pattern_empty_string.
+
+---
+ .../tests/correct_value_with_spaces.pass.sh            | 10 ++++++++++
+ .../tests/wrong_value_d_directory.fail.sh              |  9 +++++++++
+ .../tests/wrong_value_runtime.fail.sh                  | 10 ++++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
+new file mode 100644
+index 00000000000..b6688e6ca91
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=    " >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
+new file mode 100644
+index 00000000000..6c574b92762
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
+@@ -0,0 +1,9 @@
+#!/bin/bash
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
+new file mode 100644
+index 00000000000..8c729677b86
+--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"
--- a/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
@ -0,0 +1,47 @@
+From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 20 Jul 2022 14:18:13 +0200
+Subject: [PATCH] change remediations to include the "=" sign
+
+---
+ .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
+ .../crypto/configure_openssl_crypto_policy/bash/shared.sh     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+index c335a9e7fa2..852ca18cf79 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+@@ -20,7 +20,7 @@
+   lineinfile:
+     create: yes
+     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
+-    line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
+    line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
+     path: {{{ openssl_cnf_path }}}
+   when:
+     - test_crypto_policy_group.stdout is defined
+@@ -29,7 +29,7 @@
+ - name: "Add crypto_policy group and set include opensslcnf.config"
+   lineinfile:
+     create: yes
+-    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
+    line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
+     path: {{{ openssl_cnf_path }}}
+   when:
+     - test_crypto_policy_group.stdout is defined
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+index 21edb780a2f..79eb5cff189 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+@@ -2,8 +2,8 @@
+ 
+ OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
+ OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
+-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
+ 
+ {{% if 'sle' in product %}}
+   {{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}
--- a/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
@ -0,0 +1,29 @@
+From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 28 Jul 2022 15:08:15 +0200
+Subject: [PATCH] Remove a confusing sentence
+
+In the rule description, there are 2 conflicting sentences, they
+both start by "By default ...", but they negate each other.
+In fact, the second of them is true, so the first one could be
+removed.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
+---
+ .../accounts-physical/require_singleuser_auth/rule.yml         | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+index 932d76c36d9..332712ea1dd 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
+ description: |-
+     Single-user mode is intended as a system recovery
+     method, providing a single user root access to the system by
+-    providing a boot option at startup. By default, no authentication
+-    is performed if single-user mode is selected.
+    providing a boot option at startup.
+     <br /><br />
+     By default, single-user mode is protected by requiring a password and is set
+     in <tt>/usr/lib/systemd/system/rescue.service</tt>.
--- a/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
+++ b/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
@ -0,0 +1,48 @@
+From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 22 Aug 2022 13:51:28 +0200
+Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for
+ sysctl_kernel_core_pattern
+
+---
+ products/rhel9/profiles/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index b1b18261d48..9fdd1354e38 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -110,7 +110,7 @@ selections:
+     - package_gnutls-utils_installed
+ 
+     ### Login
+-    - sysctl_kernel_core_pattern_empty_string
+    - sysctl_kernel_core_pattern
+     - sysctl_kernel_core_uses_pid
+     - service_systemd-coredump_disabled
+     - var_authselect_profile=minimal
+
+From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 22 Aug 2022 13:51:55 +0200
+Subject: [PATCH 2/2] remove ospp reference from
+ sysctl_kernel_core_pattern_empty_string
+
+---
+ .../sysctl_kernel_core_pattern_empty_string/rule.yml           | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+index 089bb1481aa..dc21f53c98c 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+@@ -30,9 +30,6 @@ conflicts:
+ identifiers:
+     cce@rhel9: CCE-86005-6
+ 
+-references:
+-    ospp: FMT_SMF_EXT.1
+-
+ ocil_clause: |-
+     the returned line does not have a value of ''.
+ 
--- a/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch
+++ b/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch
@ -0,0 +1,60 @@
+From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 11 Aug 2022 16:53:48 +0200
+Subject: [PATCH] add 4 rules back to RHEL9 datastream
+
+---
+ .../services/kerberos/package_krb5-server_removed/rule.yml      | 2 +-
+ .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
+ .../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
+ .../system-tools/package_krb5-workstation_removed/rule.yml      | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+index 78577046409..17d742d9692 100644
+--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
+ 
+ title: 'Remove the Kerberos Server Package'
+ 
+diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+index d8a3910ff4d..9be95ffed5c 100644
+--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Remove NIS Client'
+ 
+diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+index ee7ccb2d8da..0f7ad7c0431 100644
+--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+ 
+ title: 'Uninstall ypserv Package'
+ 
+diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+index 7a02459825d..4750fd6b266 100644
+--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9
+ 
+ title: 'Uninstall krb5-workstation Package'
+ 
--- a/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
+++ b/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -0,0 +1,539 @@
+# SSG build system and tests count with build directory name `build`.
+# For more details see:
+# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
+%global _vpath_builddir build
+# global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
+
+Name:		scap-security-guide
+Version:	0.1.63
+Release:	5%{?dist}
+Summary:	Security guidance and baselines in SCAP formats
+License:	BSD-3-Clause
+URL:		https://github.com/ComplianceAsCode/content/
+Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
+BuildArch:	noarch
+
+Patch0:		scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
+Patch1:		scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
+Patch2:		scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
+Patch3:		scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
+Patch4:		scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
+Patch5:		scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
+Patch6:		scap-security-guide-0.1.64-readd_rules-PR_9334.patch
+Patch7:		scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
+Patch8:		scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
+
+BuildRequires:	libxslt
+BuildRequires:	expat
+BuildRequires:	openscap-scanner >= 1.2.5
+BuildRequires:	cmake >= 2.8
+# To get python3 inside the buildroot require its path explicitly in BuildRequires
+BuildRequires: /usr/bin/python3
+BuildRequires:	python%{python3_pkgversion}
+BuildRequires:	python%{python3_pkgversion}-jinja2
+BuildRequires:	python%{python3_pkgversion}-PyYAML
+Requires:	xml-common, openscap-scanner >= 1.2.5
+
+%description
+The scap-security-guide project provides a guide for configuration of the
+system from the final system's security point of view. The guidance is specified
+in the Security Content Automation Protocol (SCAP) format and constitutes
+a catalog of practical hardening advice, linked to government requirements
+where applicable. The project bridges the gap between generalized policy
+requirements and specific implementation guidelines. The system
+administrator can use the oscap CLI tool from openscap-scanner package, or the
+scap-workbench GUI tool from scap-workbench package to verify that the system
+conforms to provided guideline. Refer to scap-security-guide(8) manual page for
+further information.
+
+%package	doc
+Summary:	HTML formatted security guides generated from XCCDF benchmarks
+Requires:	%{name} = %{version}-%{release}
+
+%description	doc
+The %{name}-doc package contains HTML formatted documents containing
+hardening guidances that have been generated from XCCDF benchmarks
+present in %{name} package.
+
+%if ( %{defined rhel} && (! %{defined centos}) )
+%package	rule-playbooks
+Summary:	Ansible playbooks per each rule.
+Group:		System Environment/Base
+Requires:	%{name} = %{version}-%{release}
+
+%description	rule-playbooks
+The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
+%endif
+
+%prep
+%autosetup -p1
+
+%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
+%define cmake_defines_specific %{nil}
+%if 0%{?rhel}
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
+%endif
+%if 0%{?centos}
+%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
+%endif
+
+mkdir -p build
+%build
+%cmake %{cmake_defines_common} %{cmake_defines_specific}
+%cmake_build
+
+%install
+%cmake_install
+rm %{buildroot}/%{_docdir}/%{name}/README.md
+rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
+
+%files
+%{_datadir}/xml/scap/ssg/content
+%{_datadir}/%{name}/kickstart
+%{_datadir}/%{name}/ansible/*.yml
+%lang(en) %{_mandir}/man8/scap-security-guide.8.*
+%doc %{_docdir}/%{name}/LICENSE
+%if ( %{defined rhel} && (! %{defined centos}) )
+%exclude %{_datadir}/%{name}/ansible/rule_playbooks
+%endif
+
+%files doc
+%doc %{_docdir}/%{name}/guides/*.html
+%doc %{_docdir}/%{name}/tables/*.html
+
+%if ( %{defined rhel} && (! %{defined centos}) )
+%files rule-playbooks
+%defattr(-,root,root,-)
+%{_datadir}/%{name}/ansible/rule_playbooks
+%endif
+
+%changelog
+* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
+- OSPP: fix rule related to coredump (RHBZ#2081688)
+
+* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
+- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
+
+* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
+- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
+
+* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
+- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
+- OSPP: update rules related to coredumps (RHBZ#2081688)
+- OSPP: update rules related to BPF (RHBZ#2081728)
+- fix description of require_singleuser_mode (RHBZ#2092799)
+- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
+- OSPP: use minimal Authselect profile(RHBZ#2114979)
+
+* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
+- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
+
+* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
+- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
+- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
+- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
+- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
+- Remove some sysctl rules  related to network from RHEL9 OSPP (RHBZ#2081708)
+- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
+- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
+- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
+- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
+- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
+- Remove rules related to NIS services (RHBZ#2096602)
+- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
+
+* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
+- Rebase to a new upstream release (RHBZ#2070563)
+
+* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
+- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
+- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
+- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
+
+* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
+- Fix Ansible service disabled tasks (RHBZ#2014561)
+- Update description of OSPP profile (RHBZ#2045386)
+- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
+
+* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
+- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
+- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
+- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
+- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
+- Update GRUB2 rule descriptions (RHBZ#2020623)
+- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
+
+* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
+- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
+
+* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
+- Rebase to a new upstream release (RHBZ#2014561)
+
+* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
+- Rebase to a new upstream release (RHBZ#2014561)
+- Enable Centos Stream 9 content (RHBZ#2021284)
+
+* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
+- Rebase to a new upstream release (RHBZ#2014561)
+- Disable profiles that we disable in RHEL8
+- Add a VM wait handling to fix issues with tests.
+
+* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
+- Fix remediations applicability of zipl rules
+  Resolves: rhbz#1996847
+
+* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
+- Fix a broken HTTP link
+  Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
+  Resolves: rhbz#1962564
+
+* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
+- Use SSHD directory-based configuration.
+  Resolves: rhbz#1962564
+- Introduce ISM kickstarts
+  Resolves: rhbz#1978290
+- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
+  TLDR: Enable remediations by means of platform metadata,
+  enable the RHEL9 GPG rule, introduce the s390x platform,
+  fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
+  address the subscription-manager package merge, and
+  enable and select more rules applicable to RHEL9.
+  Resolves: rhbz#1987227
+  Resolves: rhbz#1987226
+  Resolves: rhbz#1987231
+  Resolves: rhbz#1988289
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
+- Upgrade to the latest upstream release
+- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
+
+* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
+- Introduced the playbooks subpackage.
+- Enabled CentOS content on CentOS systems.
+- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
+
+* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
+- Enable more RHEL9 rules and introduce RHEL9 profile stubs
+
+* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
+- Upgrade to the latest upstream release
+- remove README.md and Contributors.md
+- remove SCAP component files
+- remove SCAP 1.2 source data streams
+- remove HTML guides for the virtual “(default)” profile
+- remove profile Bash remediation scripts
+- build only RHEL9 content
+- remove other products
+- use autosetup in %prep phase
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
+- fix definition of build directory
+
+* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
+- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
+- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
+
+* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
+- revert previous rework, it did not solve the problem
+
+* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
+- rewrite solution for CMake out of source builds
+
+* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
+- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
+
+* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
+- Update for new CMake out of source builds
+  https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
+- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
+- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
+
+* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
+- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
+- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
+
+* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
+- Hotfix of the XML parsing fix.
+
+* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
+- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
+- Fixed XML parsing of remediation functions.
+
+* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
+- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
+- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
+
+* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
+- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
+- Update URL and source URL
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
+- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
+- Fix man page build dependency on derivative content
+
+* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
+- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
+  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
+- Fix Licence of this package
+
+* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
+- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
+- Update to use Python3 for build.
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
+- Add python version to python2-jinja2 package
+
+* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
+- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
+
+* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
+- Add python version to python package prefixes
+
+* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
+- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
+- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
+
+* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
+- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
+
+* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
+- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
+- updated to latest upstream release
+
+* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
+- updated to latest upstream release
+
+* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
+- updated to latest upstream release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
+- use make_build and make_install RPM macros
+
+* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
+- update to the latest upstream release
+- new default location for content /usr/share/scap/ssg
+- install HTML tables in the doc subpackage
+
+* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
+- Correct currently failing parallel SCAP Security Guide build
+
+* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
+- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
+- Drop shell library for remediation functions since it is not required
+  starting from 0.1.30 release any more
+
+* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
+- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
+- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
+  in 0.1.29 upstream release
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
+- upgrade to the latest upstream release
+
+* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
+- update to the latest upstream release
+
+* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
+- update to the latest upstream release
+
+* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
+- update to the latest upstream release
+
+* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
+- update to the latest upstream release
+- created doc sub-package to ship all the guides
+- start distributing centos and scientific linux content
+- rename java content to jre
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
+- update to the latest upstream release
+- only DataStream file is now available for Fedora
+- start distributing security baseline for Firefox
+- start distributing security baseline for Java RunTime deployments
+
+* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
+- update to the latest upstream release
+- move content to /usr/share/scap/ssg/content
+
+* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
+- update to the latest upstream release
+
+* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
+- require only openscap-scanner, not whole openscap-utils package
+
+* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
+- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
+- Add STIG DISCLAIMER to the shipped documentation
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
+- Fix fedora-srpm and fedora-rpm Make targets to work again
+- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
+- EOL for Fedora 18 support
+- Include Fedora datastream file for remote Fedora system scans
+
+* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
+- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
+
+* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
+- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
+  it to /shared
+- Add shared remediations for sshd disable empty passwords and
+  sshd set idle timeout
+- Shared remediation for sshd disable root login
+- Add empty -compat subpackage to ensure backward-compatibility with
+  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
+- OVAL check for sshd disable root login
+- Fix typo in OVAL check for sshd disable empty passwords
+- OVAL check for sshd disable empty passwords
+- Unselect no shelllogin for systemaccounts rule from being run by default
+- Rename XCCDF rules
+- Revert Set up Fedora release name and CPE based on build system properties
+- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
+- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
+- Shared OVAL check for Verify that System Executables Have Root Ownership
+- Shared OVAL check for Verify that Shared Library Files Have Restrictive
+  Permissions
+- Fix remediation for Disable Prelinking rule
+- OVAL check and remediation for sshd's ClientAliveCountMax rule
+- OVAL check for sshd's ClientAliveInterval rule
+- Include descriptions for permissions section, and rules for checking
+  permissions and ownership of shared library files and system executables
+- Disable selected rules by default
+- Add remediation for Disable Prelinking rule
+- Adjust service-enable-macro, service-disable-macro XSLT transforms
+  definition to evaluate to proper systemd syntax
+- Fix service_ntpd_enabled OVAL check make validate to pass again
+- Include patch from Šimon Lukašík to obsolete openscap-content
+  package (RH BZ#1028706)
+- Add OVAL check to test if there's is remote NTP server configured for
+  time data
+- Add system settings section for the guide (to track system wide
+  hardening configurations)
+- Include disable prelink rule and OVAL check for it
+- Initial OVAL check if ntpd service is enabled. Add package_installed
+  OVAL templating directory structure and functionality.
+- Include services section, and XCCDF description for selected ntpd's
+  sshd's service rules
+- Include remediations for login.defs' based password minimum, maximum and
+  warning age rules
+- Include directory structure to support remediations
+- Add SCAP "replace or append pattern value in text file based on variable"
+  remediation script generator
+- Add remediation for "Set Password Minimum Length in login.defs" rule
+
+* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
+- Update versioning scheme - move fedorassgrelease to be part of
+  upstream version. Rename it to fedorassgversion to avoid name collision
+  with Fedora package release.
+
+* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
+- Add .gitignore for Fedora output directory
+- Set up Fedora release name and CPE based on build system properties
+- Use correct file paths in scap-security-guide(8) manual page 
+  (RH BZ#1018905, c#10)
+- Apply further changes motivated by scap-security-guide Fedora RPM review
+  request (RH BZ#1018905, c#8):
+  * update package description,
+  * make content files to be owned by the scap-security-guide package,
+  * remove Fedora release number from generated content files,
+  * move HTML form of the guide under the doc directory (together
+    with that drop fedora/content subdir and place the content
+    directly under fedora/ subdir).
+- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
+  * drop Fedora release from package provided files' final path (c#5),
+  * drop BuildRoot, selected Requires:, clean section, drop chcon for
+    manual page, don't gzip man page (c#4),
+  * change package's description (c#4),
+  * include PD license text (#c4).
+
+* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
+- Provide manual page for scap-security-guide
+- Remove percent sign from spec's changelog to silence rpmlint warning
+- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
+- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
+- Introduce 'Account and Access Control' section
+- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
+  rules to Fedora
+- Set proper name of the build directory in the spec's setup macro.
+- Replace hard-coded paths with macros. Preserve attributes when copying files.
+
+* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
+- Initial Fedora SSG RPM.
				`@ -0,0 +1 @@`
				`b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2`