7 changed files with 390 additions and 36 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.74.tar.bz2
+SOURCES/scap-security-guide-0.1.69.tar.bz2
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@ -1 +1 @@
-31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2
+60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
--- a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
+++ b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
@ -0,0 +1,52 @@
 From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 8 Aug 2023 15:15:21 +0200
 Subject: [PATCH] Remove kernel cmdline check
 The OVAL in rule enable_fips_mode contains multiple checks. One
 of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
 Although this is useful for latest RHEL versions, this file doesn't
 exist on RHEL 8.6 and 9.0. This causes that the rule fails after
 remediation on these RHEL versions.
 We want the same OVAL behavior on all minor RHEL releases, therefore
 we will remove this test from the OVAL completely.
 Related to: https://github.com/ComplianceAsCode/content/pull/10897
 ---
 .../fips/enable_fips_mode/oval/shared.xml         | 15 ---------------
 1 file changed, 15 deletions(-)
 diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 index 88aae7aaab9..3b50e07060e 100644
 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
         comment="system cryptography policy is configured"/>
       <criterion test_ref="test_system_crypto_policy_value"
         comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
 -      <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
 -        comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
       {{% if "ol" in product or "rhel" in product %}}
       <criteria operator="OR">
         <criteria operator="AND">
@@ -57,19 +55,6 @@
     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
   </ind:textfilecontent54_state>
 -  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
 -    check="all" check_existence="all_exist"
 -    comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
 -    <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
 -    <ind:state state_ref="state_fips_1_argument_in_captured_group" />
 -  </ind:textfilecontent54_test>
 -
 -  <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
 -    <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
 -    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
 -    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
 -  </ind:textfilecontent54_object>
 -
   <ind:variable_test id="test_system_crypto_policy_value" version="1"
     check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
     <ind:object object_ref="obj_system_crypto_policy_value" />
--- a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
+++ b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
@ -0,0 +1,272 @@
 From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
 From: Marcus Burghardt <maburgha@redhat.com>
 Date: Thu, 27 Jul 2023 10:02:08 +0200
 Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
 This commit only improves readability without any technical impact in
 the OVAL logic.
 ---
 .../fips/enable_fips_mode/oval/shared.xml     | 81 ++++++++++++-------
 1 file changed, 50 insertions(+), 31 deletions(-)
 diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 index fe3f96f52a5..0ec076a5fb7 100644
 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
 <def-group>
 -  <definition class="compliance" id="enable_fips_mode" version="1">
 +  <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">
 -      <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
 -      <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
 -      <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
 -      <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
 -      <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
 -      <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
 +      <extend_definition definition_ref="etc_system_fips_exists"
 +        comment="check /etc/system-fips exists"/>
 +      <extend_definition definition_ref="sysctl_crypto_fips_enabled"
 +        comment="check sysctl crypto.fips_enabled = 1"/>
 +      <extend_definition definition_ref="enable_dracut_fips_module"
 +        comment="Dracut FIPS module is enabled"/>
 +      <extend_definition definition_ref="configure_crypto_policy"
 +        comment="system cryptography policy is configured"/>
 +      <criterion test_ref="test_system_crypto_policy_value"
 +        comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
 +      <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
 +        comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
       {{% if "ol" in product or "rhel" in product %}}
       <criteria operator="OR">
         <criteria operator="AND">
 -          <extend_definition comment="Generic test for s390x architecture"
 -          definition_ref="system_info_architecture_s390_64" />
 -          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
 -          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
 +          <extend_definition definition_ref="system_info_architecture_s390_64"
 +            comment="Generic test for s390x architecture"/>
 +          <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
 +            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
         </criteria>
         <criteria operator="AND">
           <criteria negate="true">
 -            <extend_definition comment="Generic test for NOT s390x architecture"
 -            definition_ref="system_info_architecture_s390_64" />
 +            <extend_definition definition_ref="system_info_architecture_s390_64"
 +              comment="Generic test for NOT s390x architecture"/>
           </criteria>
           {{% if product in ["ol8", "rhel8"] %}}
 -          <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
 -          test_ref="test_grubenv_fips_mode" />
 +          <criterion test_ref="test_grubenv_fips_mode"
 +            comment="check if the kernel boot parameter is configured for FIPS mode"/>
           {{% else %}}
 -          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
 -          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
 +          <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
 +            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
           {{% endif %}}
         </criteria>
       </criteria>
@@ -34,58 +40,71 @@
     </criteria>
   </definition>
 -  <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
 -  comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
 -  check="all" check_existence="all_exist" version="1">
 +  <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
 +    check="all" check_existence="all_exist"
 +    comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
     <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
 +
   <ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
     <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 +
   <ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
   </ind:textfilecontent54_state>
 -  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
 -  comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
 -  check="all" check_existence="all_exist" version="1">
 +
 +  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
 +    check="all" check_existence="all_exist"
 +    comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
     <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
 +
   <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
     <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
     <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 -  <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
 +  <ind:variable_test id="test_system_crypto_policy_value" version="1"
 +    check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
     <ind:object object_ref="obj_system_crypto_policy_value" />
     <ind:state state_ref="ste_system_crypto_policy_value" />
   </ind:variable_test>
 +
   <ind:variable_object id="obj_system_crypto_policy_value" version="1">
     <ind:var_ref>var_system_crypto_policy</ind:var_ref>
   </ind:variable_object>
 -  <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
 +
 +  <ind:variable_state id="ste_system_crypto_policy_value" version="2"
 +    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
   {{% if product in ["ol9","rhel9"] -%}}
     <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
   {{%- else %}}
 -  {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
 +  {{# Legacy and more relaxed list of crypto policies that were historically considered
 +      FIPS-compatible. More recent products should use the more restricted list of options #}}
     <ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
   {{%- endif %}}
   </ind:variable_state>
 +
   {{% if product in ["ol8","rhel8"] %}}
 -  <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
 -  comment="Fips mode selected in running kernel opts" version="1">
 +  <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
 +    check="all" check_existence="all_exist"
 +    comment="Fips mode selected in running kernel opts">
     <ind:object object_ref="obj_grubenv_fips_mode" />
   </ind:textfilecontent54_test>
 -  <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
 -  version="1">
 +
 +  <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
     <ind:filepath>/boot/grub2/grubenv</ind:filepath>
     <ind:pattern operation="pattern match">fips=1</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   {{% endif %}}
 -  <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
 +
 +  <external_variable id="var_system_crypto_policy" version="1"
 +    datatype="string" comment="defined crypto policy"/>
 </def-group>
 From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
 From: Marcus Burghardt <maburgha@redhat.com>
 Date: Thu, 27 Jul 2023 10:20:33 +0200
 Subject: [PATCH 2/2] Improve OVAL comments for better readability
 Simplified the comments and aligned the respective lines to the
 project Style Guides.
 ---
 .../fips/enable_fips_mode/oval/shared.xml     | 31 ++++++++++---------
 1 file changed, 16 insertions(+), 15 deletions(-)
 diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 index 0ec076a5fb7..88aae7aaab9 100644
 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
 +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">
       <extend_definition definition_ref="etc_system_fips_exists"
 -        comment="check /etc/system-fips exists"/>
 +        comment="check /etc/system-fips file existence"/>
       <extend_definition definition_ref="sysctl_crypto_fips_enabled"
 -        comment="check sysctl crypto.fips_enabled = 1"/>
 +        comment="check option crypto.fips_enabled = 1 in sysctl"/>
       <extend_definition definition_ref="enable_dracut_fips_module"
 -        comment="Dracut FIPS module is enabled"/>
 +        comment="dracut FIPS module is enabled"/>
       <extend_definition definition_ref="configure_crypto_policy"
         comment="system cryptography policy is configured"/>
       <criterion test_ref="test_system_crypto_policy_value"
 -        comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
 +        comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
       <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
 -        comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
 +        comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
       {{% if "ol" in product or "rhel" in product %}}
       <criteria operator="OR">
         <criteria operator="AND">
           <extend_definition definition_ref="system_info_architecture_s390_64"
 -            comment="Generic test for s390x architecture"/>
 +            comment="generic test for s390x architecture"/>
           <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
 -            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
 +            comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
         </criteria>
         <criteria operator="AND">
           <criteria negate="true">
             <extend_definition definition_ref="system_info_architecture_s390_64"
 -              comment="Generic test for NOT s390x architecture"/>
 +              comment="generic test for non-s390x architecture"/>
           </criteria>
           {{% if product in ["ol8", "rhel8"] %}}
           <criterion test_ref="test_grubenv_fips_mode"
             comment="check if the kernel boot parameter is configured for FIPS mode"/>
           {{% else %}}
           <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
 -            comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
 +            comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
           {{% endif %}}
         </criteria>
       </criteria>
@@ -42,7 +42,7 @@
   <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
     check="all" check_existence="all_exist"
 -    comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
 +    comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
     <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
   <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
     check="all" check_existence="all_exist"
 -    comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
 +    comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
     <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
     <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
   </ind:textfilecontent54_object>
   <ind:variable_test id="test_system_crypto_policy_value" version="1"
 -    check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
 +    check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
     <ind:object object_ref="obj_system_crypto_policy_value" />
     <ind:state state_ref="ste_system_crypto_policy_value" />
   </ind:variable_test>
@@ -81,7 +81,8 @@
   </ind:variable_object>
   <ind:variable_state id="ste_system_crypto_policy_value" version="2"
 -    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
 +    comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
 +to a crypto policy module that further restricts the modified crypto policy.">
   {{% if product in ["ol9","rhel9"] -%}}
     <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
   {{%- else %}}
@@ -94,7 +95,7 @@
   {{% if product in ["ol8","rhel8"] %}}
   <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
     check="all" check_existence="all_exist"
 -    comment="Fips mode selected in running kernel opts">
 +    comment="FIPS mode is selected in running kernel options">
     <ind:object object_ref="obj_grubenv_fips_mode" />
   </ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
   {{% endif %}}
   <external_variable id="var_system_crypto_policy" version="1"
 -    datatype="string" comment="defined crypto policy"/>
 +    datatype="string" comment="variable which selects the crypto policy"/>
 </def-group>
--- a/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
+++ b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
@ -0,0 +1,21 @@
 From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Tue, 15 Aug 2023 15:17:16 +0200
 Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
 rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
 ---
 controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
 index d5fe6e1327b..9d9dc579fc4 100644
 --- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
 +++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
@@ -7,6 +7,4 @@ controls:
         rules:
             - sshd_enable_pam
             - sysctl_crypto_fips_enabled
 -            - harden_sshd_ciphers_openssh_conf_crypto_policy
 -            - harden_sshd_macs_openssh_conf_crypto_policy
         status: automated
--- a/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
+++ b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
@ -0,0 +1,30 @@
 From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
 From: Vojtech Polasek <vpolasek@redhat.com>
 Date: Thu, 17 Aug 2023 10:50:09 +0200
 Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
 ---
 products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
 products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
 2 files changed, 4 insertions(+)
 diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
 index e2eeabbb78d..204e141b1f5 100644
 --- a/products/rhel8/profiles/anssi_bp28_high.profile
 +++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
 selections:
     - anssi:all:high
 +    # the following rule renders UEFI systems unbootable
 +    - '!sebool_secure_mode_insmod'
 diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
 index e2eeabbb78d..204e141b1f5 100644
 --- a/products/rhel9/profiles/anssi_bp28_high.profile
 +++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
 selections:
     - anssi:all:high
 +    # the following rule renders UEFI systems unbootable
 +    - '!sebool_secure_mode_insmod'
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -5,19 +5,27 @@
 # global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
 Name:		scap-security-guide
-Version:	0.1.74
+Version:	0.1.69
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 # Fix rule enable_fips_mode
 Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
 Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
 # remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
 Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
 # remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
 Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
 BuildArch:	noarch
 BuildRequires:	libxslt
 BuildRequires:	expat
 BuildRequires:	openscap-scanner >= 1.2.5
 BuildRequires:	cmake >= 2.8
-BuildRequires:	python%{python3_pkgversion}-devel
+# To get python3 inside the buildroot require its path explicitly in BuildRequires
 BuildRequires: /usr/bin/python3
 BuildRequires:	python%{python3_pkgversion}
 BuildRequires:	python%{python3_pkgversion}-jinja2
 BuildRequires:	python%{python3_pkgversion}-PyYAML
@ -97,37 +105,8 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 %changelog
-* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
+* Mon Oct 09 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.1.69-2
- Rebase to a new upstream release 0.1.74 (RHEL-53865)
+- Rebuilt for MSVSphere 9.3 beta
 - Ensure authselect features are preserved by enable_authselect rule (RHEL-39383)
 - Fix check for passwords last changed date (RHEL-47129)
 - Remediations of Journald configuration files now include a correct section (RHEL-38531)
 - Adjust service requirements for CIS profiles (RHEL-23852)
 - Update password hashing settings for ANSSI-BP-028 (RHEL-44983)
 * Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
 - Switch gating to tmt plan (RHEL-43243)
 * Mon May 20 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.73-1
 - Rebase to a new upstream release 0.1.73 (RHEL-36663)
 - Correctly parse sudo options even if they are not quoted (RHEL-31976)
 - Ensure that web links within kickstart files are valid (RHEL-30735)
 - Align set of allowed SSH ciphers with STIG requirement (RHEL-29684)
 - Add audit rules on /etc/sysconfig/network-scripts (RHEL-29308)
 - Remove rule restricting user namespaces from stig_gui profile (RHEL-10416)
 - Add rule which enables auditing of files within /etc/sysconfig/network-scripts (RHEL-1093)
 * Tue Feb 13 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
 - Rebase to a new upstream release 0.1.72 (RHEL-21425)
 - Check dropin files in /etc/systemd/journald.conf.d/ (RHEL-14484)
 - Fix remediation to not update comments (RHEL-1484)
 - Fix package check on SCAP tests for dnf settings (RHEL-17417)
 - Update description for audit_rules_kernel_module_loading (RHEL-1489)
 - Disable remediation for /dev/shm options in offline mode (RHEL-16801)
 - Include explanatory comment in the remediation of CCE-83871-4 (RHEL-17418)
 * Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
 - Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)
 * Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
 - Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
`@ -1 +1 @@`
	`SOURCES/scap-security-guide-0.1.74.tar.bz2`	`SOURCES/scap-security-guide-0.1.69.tar.bz2`
`@ -1 +1 @@`
	`31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2`	`60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2`